diff --git a/CHANGELOG.md b/CHANGELOG.md index b25193bd9da..3d4b50a361e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -46,6 +46,7 @@ Docs: https://docs.openclaw.ai - Context engine registry/bundled builds: share the registry state through a `globalThis` singleton so duplicated bundled module copies can resolve engines registered by each other at runtime, with regression coverage for duplicate-module imports. (#40115) thanks @jalehman. - macOS/Tailscale gateway discovery: keep Tailscale Serve probing alive when other remote gateways are already discovered, prefer direct transport for resolved `.ts.net` and Tailscale Serve gateways, and set `TERM=dumb` for GUI-launched Tailscale CLI discovery. (#40167) thanks @ngutman. - Podman/setup: fix `cannot chdir: Permission denied` in `run_as_user` when `setup-podman.sh` is invoked from a directory the target user cannot access, by wrapping user-switch calls in a subshell that cd's to `/tmp` with `/` fallback. (#39435) Thanks @langdon and @jlcbk. +- Podman/SELinux: auto-detect SELinux enforcing/permissive mode and add `:Z` relabel to bind mounts in `run-openclaw-podman.sh` and the Quadlet template, fixing `EACCES` on Fedora/RHEL hosts. Supports `OPENCLAW_BIND_MOUNT_OPTIONS` override. (#39449) Thanks @langdon and @githubbzxs. ## 2026.3.7 diff --git a/scripts/podman/openclaw.container.in b/scripts/podman/openclaw.container.in index db643ca42bc..e0ad2ac8bde 100644 --- a/scripts/podman/openclaw.container.in +++ b/scripts/podman/openclaw.container.in @@ -11,7 +11,7 @@ ContainerName=openclaw UserNS=keep-id # Keep container UID/GID aligned with the invoking user so mounted config is readable. User=%U:%G -Volume={{OPENCLAW_HOME}}/.openclaw:/home/node/.openclaw +Volume={{OPENCLAW_HOME}}/.openclaw:/home/node/.openclaw:Z EnvironmentFile={{OPENCLAW_HOME}}/.openclaw/.env Environment=HOME=/home/node Environment=TERM=xterm-256color diff --git a/scripts/run-openclaw-podman.sh b/scripts/run-openclaw-podman.sh index 33e9f6d7d94..68b64915479 100755 --- a/scripts/run-openclaw-podman.sh +++ b/scripts/run-openclaw-podman.sh @@ -183,14 +183,30 @@ fi ENV_FILE_ARGS=() [[ -f "$ENV_FILE" ]] && ENV_FILE_ARGS+=(--env-file "$ENV_FILE") +# On Linux with SELinux enforcing/permissive, add ,Z so Podman relabels the +# bind-mounted directories and the container can access them. +SELINUX_MOUNT_OPTS="" +if [[ -z "${OPENCLAW_BIND_MOUNT_OPTIONS:-}" ]]; then + if [[ "$(uname -s 2>/dev/null)" == "Linux" ]] && command -v getenforce >/dev/null 2>&1; then + _selinux_mode="$(getenforce 2>/dev/null || true)" + if [[ "$_selinux_mode" == "Enforcing" || "$_selinux_mode" == "Permissive" ]]; then + SELINUX_MOUNT_OPTS=",Z" + fi + fi +else + # Honour explicit override (e.g. OPENCLAW_BIND_MOUNT_OPTIONS=":Z" → strip leading colon for inline use). + SELINUX_MOUNT_OPTS="${OPENCLAW_BIND_MOUNT_OPTIONS#:}" + [[ -n "$SELINUX_MOUNT_OPTS" ]] && SELINUX_MOUNT_OPTS=",$SELINUX_MOUNT_OPTS" +fi + if [[ "$RUN_SETUP" == true ]]; then exec podman run --pull="$PODMAN_PULL" --rm -it \ --init \ "${USERNS_ARGS[@]}" "${RUN_USER_ARGS[@]}" \ -e HOME=/home/node -e TERM=xterm-256color -e BROWSER=echo \ -e OPENCLAW_GATEWAY_TOKEN="$OPENCLAW_GATEWAY_TOKEN" \ - -v "$CONFIG_DIR:/home/node/.openclaw:rw" \ - -v "$WORKSPACE_DIR:/home/node/.openclaw/workspace:rw" \ + -v "$CONFIG_DIR:/home/node/.openclaw:rw${SELINUX_MOUNT_OPTS}" \ + -v "$WORKSPACE_DIR:/home/node/.openclaw/workspace:rw${SELINUX_MOUNT_OPTS}" \ "${ENV_FILE_ARGS[@]}" \ "$OPENCLAW_IMAGE" \ node dist/index.js onboard "$@" @@ -203,8 +219,8 @@ podman run --pull="$PODMAN_PULL" -d --replace \ -e HOME=/home/node -e TERM=xterm-256color \ -e OPENCLAW_GATEWAY_TOKEN="$OPENCLAW_GATEWAY_TOKEN" \ "${ENV_FILE_ARGS[@]}" \ - -v "$CONFIG_DIR:/home/node/.openclaw:rw" \ - -v "$WORKSPACE_DIR:/home/node/.openclaw/workspace:rw" \ + -v "$CONFIG_DIR:/home/node/.openclaw:rw${SELINUX_MOUNT_OPTS}" \ + -v "$WORKSPACE_DIR:/home/node/.openclaw/workspace:rw${SELINUX_MOUNT_OPTS}" \ -p "${HOST_GATEWAY_PORT}:18789" \ -p "${HOST_BRIDGE_PORT}:18790" \ "$OPENCLAW_IMAGE" \