Skip to content

fix(docker): add SELinux volume relabeling for RHEL/Fedora hosts#342

Open
Alexi5000 wants to merge 1 commit into
KeygraphHQ:mainfrom
Alexi5000:pr/fix-selinux-volume-mounts
Open

fix(docker): add SELinux volume relabeling for RHEL/Fedora hosts#342
Alexi5000 wants to merge 1 commit into
KeygraphHQ:mainfrom
Alexi5000:pr/fix-selinux-volume-mounts

Conversation

@Alexi5000

@Alexi5000 Alexi5000 commented May 21, 2026

Copy link
Copy Markdown

Summary

Addresses #288 (SELinux host startup/runtime failures — worker bind mounts).

On Linux hosts with SELinux enforcing mode, bind mounts fail silently because the container process lacks the correct security label to access mounted paths. The mount succeeds but access is denied at runtime.

Note: This PR is complementary to #289, not a duplicate. #289 fixes the router-config compose mount; this PR relabels the worker bind mounts in apps/cli/src/docker.ts. Both are needed for full SELinux support and can land independently.

Changes

  • Add automatic detection of SELinux enforcing mode via getenforce
  • Append :z (shared relabeling) to all bind-mount volume strings when enforcing
  • Use :ro,z for read-only mounts (comma-separated Docker volume options)
  • Cache the detection result for the session lifetime
  • No effect on macOS, Windows, or Linux hosts with SELinux disabled/permissive

The shared :z label is used rather than :Z because multiple worker containers may access the same workspace directory concurrently.

Test plan

  • Verify on RHEL/Fedora with SELinux enforcing: worker containers can read/write mounted volumes
  • Verify on Ubuntu (no SELinux): no :z suffix added, behavior unchanged
  • Verify on macOS/Windows: getenforce not found, no suffix added

Fixes KeygraphHQ#289

On Linux hosts with SELinux enforcing mode, bind mounts fail silently
because the container process lacks the correct security label to
access mounted paths.

Adds automatic detection of SELinux enforcing mode via getenforce and
appends :z (shared relabeling) to all bind-mount volume strings. Uses
:ro,z for read-only mounts. The shared :z label is appropriate because
multiple worker containers may access the same workspace concurrently.

No effect on macOS, Windows, or Linux hosts with SELinux disabled.
@Alexi5000 Alexi5000 force-pushed the pr/fix-selinux-volume-mounts branch from 355fe72 to bc5069d Compare June 23, 2026 05:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant