Support devcontainers on Linux hosts using SELinux

[haakobja]

What happened?
Unable to access mounted workspace directory due to SELinux permissions

What did you expect to happen instead?
Use workspace directory as expected

How can we reproduce the bug?

• Log on a linux distribution using SELinux
• Use DevPod to create and start new devcontainer
• SSH into the contiainer
• touch /workspaces//test

My devcontainer.json: none (cloned a fresh git repo)

Local Environment:

• DevPod Version: 0.5.20
• Operating System: linux (Fedora 41)
• ARCH of the OS: AMD64

DevPod Provider:

• Local/remote provider: docker

Anything else we need to know?
I use Podman and its Docker compatibility mode.

There are three workarounds for this:

1. Set SELinux as permissive (I've not tried this)
2. Append :Z in .devcontainer.json as described in https://github.com/loft-sh/devpod/issues/970#issuecomment-2297652537, but this is not viable if the devcontainer is used by others
3. When using Podman: Add label=false to [container] in $HOME/.config/containers/containers.conf

I think :Z or :z (private or shared SELinux context) or label=false should be set by DevPod.

[westurner]

• Have you tested with --security-opt=label=disable or --security-opt=label=nested or a more restrictive label= value?
  • https://docs.podman.io/en/latest/markdown/podman-build.1.html#security-opt-option https://docs.podman.io/en/v4.6.1/markdown/options/security-opt.html#security-opt-option

    • That's how fedora-toolbox:latest (toolbox) and distrobox start containers:
      • distrobox-create [--nvidia] [--unshare-all] [--help] https://github.com/89luca89/distrobox/blob/c05b6a43769bfa56d572a457f1420e0e2589fe3b/distrobox-create#L661
      • distrobox-enter [--aditional-flags] [--name] [--/-e <bash -l>] distrobox-enter # just MY_VAR=value distrobox-enter --additional-flags "--preserve-fds" --name test -- bash -l https://github.com/89luca89/distrobox/blob/main/distrobox-enter

  • https://github.com/search?q=repo%3Acontainers%2Ftoolbox%20security-opt&type=code