Support for SELinux

[acolombier]

Is your feature request related to a problem?

Yes - when running devpod with a docker-compatible executable (such as podman) using SELinux, the container gets permission denied on the mounted workspace folder

Which solution do you suggest?

It looks like adding the Z flag is enough to make it work:

diff --git a/pkg/docker/helper.go b/pkg/docker/helper.go
index 4adf4ff6..26f60ada 100644
--- a/pkg/docker/helper.go
+++ b/pkg/docker/helper.go
@@ -65,6 +65,15 @@ func (r *DockerHelper) GPUSupportEnabled() (bool, error) {
        return strings.Contains(string(out), "nvidia-container-runtime"), nil
 }
 
+func (r *DockerHelper) SELinuxEnabled(ctx context.Context) (bool, error) {
+       out, err := r.buildCmd(ctx, "info", "-f", "{{.Host.Security.SELinuxEnabled}}").Output()
+       if err != nil {
+               return false, command.WrapCommandError(out, err)
+       }
+
+       return strings.Contains(string(out), "true"), nil
+}
+
 func (r *DockerHelper) FindDevContainer(ctx context.Context, labels []string) (*config.ContainerDetails, error) {
        containers, err := r.FindContainer(ctx, labels)
        if err != nil {
diff --git a/pkg/driver/docker/docker.go b/pkg/driver/docker/docker.go
index c9b00db2..b27a3ea9 100644
--- a/pkg/driver/docker/docker.go
+++ b/pkg/driver/docker/docker.go
@@ -272,6 +272,12 @@ func (d *dockerDriver) RunDockerDevContainer(
                        mountPath = strings.Replace(mountPath, ",consistency='consistent'", "", 1)
                }
 
+               if ok, err := helper.SELinuxEnabled(ctx); ok && err == nil {
+                       mountPath = fmt.Sprintf("%s,z", mountPath)
+               } else if err != nil {
+                       d.Log.Infof("Unable to check if docker is running with SELinux. Assuming it is not.")
+               }
+
                args = append(args, "--mount", mountPath)
        }
 

Let me know if you would like me to submit a PR

Which alternative solutions exist?

N/A

Additional context

Using the main version of devpod, using with podman on Fedore 41 SilverBlue

[bkneis]

Thanks for reporting @acolombier! Currently we have this workaround documented on our website - https://devpod.sh/docs/troubleshooting/linux-troubleshooting#using-selinux

As you mentioned adding the Z is needed to allow the runtime to mount the volume. We opted to not automatically add this as we would need to detect SELinux and add the flag which is potentially not desired behaviour for other users.

Let me know if you have any specific ideas though about this or how it could be supported

[acolombier]

which is potentially not desired behaviour for other users.

Yes that makes sense. Could we consider adding an option similar to SSH_ADD_PRIVATE_KEYS to be used in tandem with DockerHelper.SELinuxEnabled? The rational being, devpod offers the great feature of working directly off a git repo, but the workaround require changing the devcontainer spec prior to running it.
As I mentioned in the initial report, in case this is something you would be okay to see in devpod, I'd be happy to submit my contribution!

[bkneis]

Hi @acolombier yes that would work! As long as we can toggle this functionality with a CLI flag then it would be great if you could submit a PR with your changes :) I think adding --disable-selinux-flag to the up command would suffice.

[bkneis]

@acolombier did you manage to get around adding the context option? If not please feel free to open a PR with your current changes and I can add the rest :)

[acolombier]

Apologies for the delay here @bkneis, I'm still planing to do it, just hadn't the time lately! Hoping to get that done this month! I will ping you if I need your help to complete the work :)