negodiy/openclaw
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

fix(run-openclaw-podman): add SELinux :Z mount option on enforcing/permissive hosts (#39449)

Browse Source 
* fix(run-openclaw-podman): add SELinux :Z mount option on Linux with enforcing/permissive SELinux

* fix(quadlet): add SELinux :Z label to openclaw.container.in volume mount

* fix(podman): add SELinux :Z mount option for Fedora/RHEL hosts

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: sallyom <somalley@redhat.com>

---------

Signed-off-by: sallyom <somalley@redhat.com>
Co-authored-by: sallyom <somalley@redhat.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
langdon
2026-03-08 18:53:09 -04:00
committed by GitHub
parent 3ea3a1c0ca
commit bd1fe4d8b4
3 changed files with 22 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@@ -46,6 +46,7 @@ Docs: https://docs.openclaw.ai
- Context engine registry/bundled builds: share the registry state through a `globalThis` singleton so duplicated bundled module copies can resolve engines registered by each other at runtime, with regression coverage for duplicate-module imports. (#40115) thanks @jalehman. - Context engine registry/bundled builds: share the registry state through a `globalThis` singleton so duplicated bundled module copies can resolve engines registered by each other at runtime, with regression coverage for duplicate-module imports. (#40115) thanks @jalehman.
- macOS/Tailscale gateway discovery: keep Tailscale Serve probing alive when other remote gateways are already discovered, prefer direct transport for resolved `.ts.net` and Tailscale Serve gateways, and set `TERM=dumb` for GUI-launched Tailscale CLI discovery. (#40167) thanks @ngutman. - macOS/Tailscale gateway discovery: keep Tailscale Serve probing alive when other remote gateways are already discovered, prefer direct transport for resolved `.ts.net` and Tailscale Serve gateways, and set `TERM=dumb` for GUI-launched Tailscale CLI discovery. (#40167) thanks @ngutman.
- Podman/setup: fix `cannot chdir: Permission denied` in `run_as_user` when `setup-podman.sh` is invoked from a directory the target user cannot access, by wrapping user-switch calls in a subshell that cd's to `/tmp` with `/` fallback. (#39435) Thanks @langdon and @jlcbk. - Podman/setup: fix `cannot chdir: Permission denied` in `run_as_user` when `setup-podman.sh` is invoked from a directory the target user cannot access, by wrapping user-switch calls in a subshell that cd's to `/tmp` with `/` fallback. (#39435) Thanks @langdon and @jlcbk.
- Podman/SELinux: auto-detect SELinux enforcing/permissive mode and add `:Z` relabel to bind mounts in `run-openclaw-podman.sh` and the Quadlet template, fixing `EACCES` on Fedora/RHEL hosts. Supports `OPENCLAW_BIND_MOUNT_OPTIONS` override. (#39449) Thanks @langdon and @githubbzxs.
## 2026.3.7 ## 2026.3.7

2
scripts/podman/openclaw.container.in
View File

@@ -11,7 +11,7 @@ ContainerName=openclaw
UserNS=keep-id UserNS=keep-id
# Keep container UID/GID aligned with the invoking user so mounted config is readable. # Keep container UID/GID aligned with the invoking user so mounted config is readable.
User=%U:%G User=%U:%G
Volume={{OPENCLAW_HOME}}/.openclaw:/home/node/.openclaw Volume={{OPENCLAW_HOME}}/.openclaw:/home/node/.openclaw:Z
EnvironmentFile={{OPENCLAW_HOME}}/.openclaw/.env EnvironmentFile={{OPENCLAW_HOME}}/.openclaw/.env
Environment=HOME=/home/node Environment=HOME=/home/node
Environment=TERM=xterm-256color Environment=TERM=xterm-256color

24
scripts/run-openclaw-podman.sh
View File

@@ -183,14 +183,30 @@ fi
ENV_FILE_ARGS=() ENV_FILE_ARGS=()
[[ -f "$ENV_FILE" ]] && ENV_FILE_ARGS+=(--env-file "$ENV_FILE") [[ -f "$ENV_FILE" ]] && ENV_FILE_ARGS+=(--env-file "$ENV_FILE")
# On Linux with SELinux enforcing/permissive, add ,Z so Podman relabels the
# bind-mounted directories and the container can access them.
SELINUX_MOUNT_OPTS=""
if [[ -z "${OPENCLAW_BIND_MOUNT_OPTIONS:-}" ]]; then
if [[ "$(uname -s 2>/dev/null)" == "Linux" ]] && command -v getenforce >/dev/null 2>&1; then
_selinux_mode="$(getenforce 2>/dev/null || true)"
if [[ "$_selinux_mode" == "Enforcing" || "$_selinux_mode" == "Permissive" ]]; then
SELINUX_MOUNT_OPTS=",Z"
fi
fi
else
# Honour explicit override (e.g. OPENCLAW_BIND_MOUNT_OPTIONS=":Z" → strip leading colon for inline use).
SELINUX_MOUNT_OPTS="${OPENCLAW_BIND_MOUNT_OPTIONS#:}"
[[ -n "$SELINUX_MOUNT_OPTS" ]] && SELINUX_MOUNT_OPTS=",$SELINUX_MOUNT_OPTS"
fi
if [[ "$RUN_SETUP" == true ]]; then if [[ "$RUN_SETUP" == true ]]; then
exec podman run --pull="$PODMAN_PULL" --rm -it \ exec podman run --pull="$PODMAN_PULL" --rm -it \
--init \ --init \
"${USERNS_ARGS[@]}" "${RUN_USER_ARGS[@]}" \ "${USERNS_ARGS[@]}" "${RUN_USER_ARGS[@]}" \
-e HOME=/home/node -e TERM=xterm-256color -e BROWSER=echo \ -e HOME=/home/node -e TERM=xterm-256color -e BROWSER=echo \
-e OPENCLAW_GATEWAY_TOKEN="$OPENCLAW_GATEWAY_TOKEN" \ -e OPENCLAW_GATEWAY_TOKEN="$OPENCLAW_GATEWAY_TOKEN" \
-v "$CONFIG_DIR:/home/node/.openclaw:rw" \ -v "$CONFIG_DIR:/home/node/.openclaw:rw${SELINUX_MOUNT_OPTS}" \
-v "$WORKSPACE_DIR:/home/node/.openclaw/workspace:rw" \ -v "$WORKSPACE_DIR:/home/node/.openclaw/workspace:rw${SELINUX_MOUNT_OPTS}" \
"${ENV_FILE_ARGS[@]}" \ "${ENV_FILE_ARGS[@]}" \
"$OPENCLAW_IMAGE" \ "$OPENCLAW_IMAGE" \
node dist/index.js onboard "$@" node dist/index.js onboard "$@"
@@ -203,8 +219,8 @@ podman run --pull="$PODMAN_PULL" -d --replace \
-e HOME=/home/node -e TERM=xterm-256color \ -e HOME=/home/node -e TERM=xterm-256color \
-e OPENCLAW_GATEWAY_TOKEN="$OPENCLAW_GATEWAY_TOKEN" \ -e OPENCLAW_GATEWAY_TOKEN="$OPENCLAW_GATEWAY_TOKEN" \
"${ENV_FILE_ARGS[@]}" \ "${ENV_FILE_ARGS[@]}" \
-v "$CONFIG_DIR:/home/node/.openclaw:rw" \ -v "$CONFIG_DIR:/home/node/.openclaw:rw${SELINUX_MOUNT_OPTS}" \
-v "$WORKSPACE_DIR:/home/node/.openclaw/workspace:rw" \ -v "$WORKSPACE_DIR:/home/node/.openclaw/workspace:rw${SELINUX_MOUNT_OPTS}" \
-p "${HOST_GATEWAY_PORT}:18789" \ -p "${HOST_GATEWAY_PORT}:18789" \
-p "${HOST_BRIDGE_PORT}:18790" \ -p "${HOST_BRIDGE_PORT}:18790" \
"$OPENCLAW_IMAGE" \ "$OPENCLAW_IMAGE" \