loft-sh · mrudat · Oct 26, 2025 · Oct 26, 2025 · Oct 26, 2025 · Oct 26, 2025
diff --git a/cmd/up.go b/cmd/up.go
@@ -90,6 +90,9 @@ func NewUpCmd(f *flags.GlobalFlags) *cobra.Command {
 			if devPodConfig.ContextOption(config.ContextOptionSSHStrictHostKeyChecking) == "true" {
 				cmd.StrictHostKeyChecking = true
 			}
+			if devPodConfig.ContextOption(config.ContextOptionDisableSELinuxFlag) == "true" {
+				cmd.DisableSELinuxFlag = true
+			}
 
 			ctx, cancel := WithSignals(cobraCmd.Context())
 			defer cancel()
@@ -117,6 +120,7 @@ func NewUpCmd(f *flags.GlobalFlags) *cobra.Command {
 	upCmd.Flags().BoolVar(&cmd.Reconfigure, "reconfigure", false, "Reconfigure the options for this workspace. Only supported in DevPod Pro right now.")
 	upCmd.Flags().BoolVar(&cmd.Recreate, "recreate", false, "If true will remove any existing containers and recreate them")
 	upCmd.Flags().BoolVar(&cmd.Reset, "reset", false, "If true will remove any existing containers including sources, and recreate them")
+	upCmd.Flags().BoolVar(&cmd.DisableSELinuxFlag, "disable-selinux-flag", false, "If true will add the z flag to the workspace mount to disable SELinux")
 	upCmd.Flags().StringSliceVar(&cmd.PrebuildRepositories, "prebuild-repository", []string{}, "Docker repository that hosts devpod prebuilds for this workspace")
 	upCmd.Flags().StringArrayVar(&cmd.WorkspaceEnv, "workspace-env", []string{}, "Extra env variables to put into the workspace. E.g. MY_ENV_VAR=MY_VALUE")
 	upCmd.Flags().StringSliceVar(&cmd.WorkspaceEnvFile, "workspace-env-file", []string{}, "The path to files containing a list of extra env variables to put into the workspace. E.g. MY_ENV_VAR=MY_VALUE")

diff --git a/pkg/config/context.go b/pkg/config/context.go
@@ -22,6 +22,7 @@ const (
 	ContextOptionAgentInjectTimeout         = "AGENT_INJECT_TIMEOUT"
 	ContextOptionRegistryCache              = "REGISTRY_CACHE"
 	ContextOptionSSHStrictHostKeyChecking   = "SSH_STRICT_HOST_KEY_CHECKING"
+	ContextOptionDisableSELinuxFlag         = "DISABLE_SELINUX_FLAG"
 )
 
 var ContextOptions = []ContextOption{
@@ -105,6 +106,12 @@ var ContextOptions = []ContextOption{
 		Default:     "false",
 		Enum:        []string{"true", "false"},
 	},
+	{
+		Name:        ContextOptionDisableSELinuxFlag,
+		Description: "Adds the z flag to the workspace mounts to disable SELinux",
+		Default:     "false",
+		Enum:        []string{"true", "false"},
+	},
 }
 
 func MergeContextOptions(contextConfig *ContextConfig, environ []string) {

diff --git a/pkg/devcontainer/config.go b/pkg/devcontainer/config.go
@@ -138,6 +138,7 @@ func (r *runner) substitute(
 		parsedConfig.DockerfileContainer = config.DockerfileContainer{}
 		parsedConfig.ImageContainer = config.ImageContainer{Image: options.DevContainerImage}
 	}
+	substitutionContext.DisableSELinuxFlag = options.DisableSELinuxFlag
 
 	parsedConfig.Origin = configFile
 	return &config.SubstitutedConfig{

diff --git a/pkg/devcontainer/config/substitute.go b/pkg/devcontainer/config/substitute.go
@@ -25,6 +25,7 @@ type SubstitutionContext struct {
 	LocalWorkspaceFolder     string            `json:"LocalWorkspaceFolder,omitempty"`
 	ContainerWorkspaceFolder string            `json:"ContainerWorkspaceFolder,omitempty"`
 	Env                      map[string]string `json:"Env,omitempty"`
+	DisableSELinuxFlag       bool              `json:"DisableSELinuxFlag,omitempty"`
 
 	WorkspaceMount string `json:"WorkspaceMount,omitempty"`
 }

diff --git a/pkg/devcontainer/single.go b/pkg/devcontainer/single.go
@@ -183,6 +183,7 @@ func (r *runner) runContainer(
 	}
 
 	runOptions.Env = r.addExtraEnvVars(runOptions.Env)
+	runOptions.DisableSELinuxFlag = substitutionContext.DisableSELinuxFlag
 
 	// check if docker
 	dockerDriver, ok := r.Driver.(driver.DockerDriver)
@@ -274,9 +275,10 @@ func (r *runner) getDockerlessRunOptions(
 			metadata.ImageMetadataLabel + "=" + string(marshalled),
 			config.UserLabel + "=" + buildInfo.Dockerless.User,
 		},
-		Privileged:     mergedConfig.Privileged,
-		WorkspaceMount: &workspaceMountParsed,
-		Mounts:         mounts,
+		Privileged:         mergedConfig.Privileged,
+		WorkspaceMount:     &workspaceMountParsed,
+		Mounts:             mounts,
+		DisableSELinuxFlag: substitutionContext.DisableSELinuxFlag,
 	}, nil
 }
 
@@ -312,18 +314,19 @@ func (r *runner) getRunOptions(
 	}
 
 	return &driver.RunOptions{
-		UID:            uid,
-		Image:          buildInfo.ImageName,
-		User:           user,
-		Entrypoint:     entrypoint,
-		Cmd:            cmd,
-		Env:            mergedConfig.ContainerEnv,
-		CapAdd:         mergedConfig.CapAdd,
-		Labels:         labels,
-		Privileged:     mergedConfig.Privileged,
-		WorkspaceMount: &workspaceMountParsed,
-		SecurityOpt:    mergedConfig.SecurityOpt,
-		Mounts:         mergedConfig.Mounts,
+		UID:                uid,
+		Image:              buildInfo.ImageName,
+		User:               user,
+		Entrypoint:         entrypoint,
+		Cmd:                cmd,
+		Env:                mergedConfig.ContainerEnv,
+		CapAdd:             mergedConfig.CapAdd,
+		Labels:             labels,
+		Privileged:         mergedConfig.Privileged,
+		WorkspaceMount:     &workspaceMountParsed,
+		SecurityOpt:        mergedConfig.SecurityOpt,
+		Mounts:             mergedConfig.Mounts,
+		DisableSELinuxFlag: substitutionContext.DisableSELinuxFlag,
 	}, nil
 }
 

diff --git a/pkg/docker/helper.go b/pkg/docker/helper.go
@@ -67,6 +67,15 @@ func (r *DockerHelper) GPUSupportEnabled() (bool, error) {
 	return strings.Contains(string(out), "nvidia-container-runtime"), nil
 }
 
+func (r *DockerHelper) SELinuxEnabled(ctx context.Context) (bool, error) {
+	out, err := r.buildCmd(ctx, "info", "-f", "{{.Host.Security.SELinuxEnabled}}").Output()
+	if err != nil {
+		return false, command.WrapCommandError(out, err)
+	}
+
+	return strings.Contains(string(out), "true"), nil
+}
+
 func (r *DockerHelper) FindDevContainer(ctx context.Context, labels []string) (*config.ContainerDetails, error) {
 	containers, err := r.FindContainer(ctx, labels)
 	if err != nil {

diff --git a/pkg/driver/docker/docker.go b/pkg/driver/docker/docker.go
@@ -273,6 +273,14 @@ func (d *dockerDriver) RunDockerDevContainer(
 			mountPath = strings.Replace(mountPath, ",consistency='consistent'", "", 1)
 		}
 
+		if options.DisableSELinuxFlag {
+			if ok, err := helper.SELinuxEnabled(ctx); ok && err == nil {
+				mountPath = fmt.Sprintf("%s,z", mountPath)
+			} else if err != nil {
+				d.Log.Infof("Unable to check if docker is running with SELinux. Assuming it is not.")
+			}
+		}
+
 		args = append(args, "--mount", mountPath)
 	}
 

diff --git a/pkg/driver/types.go b/pkg/driver/types.go
@@ -80,4 +80,7 @@ type RunOptions struct {
 	// Bind mounts are expected to get copied from local to remote once. Volume mounts are expected
 	// to be persisted for the lifetime of the container.
 	Mounts []*config.Mount `json:"mounts,omitempty"`
+
+	// DisableSELinuxFlag indicates if SELinux flags should be disabled for the Workspace mount
+	DisableSELinuxFlag bool `json:"disableSELinuxFlag,omitempty"`
 }
diff --git a/pkg/provider/workspace.go b/pkg/provider/workspace.go
@@ -222,6 +222,7 @@ type CLIOptions struct {
 	GitSSHSigningKey            string            `json:"gitSshSigningKey,omitempty"`
 	SSHAuthSockID               string            `json:"sshAuthSockID,omitempty"` // ID to use when looking for SSH_AUTH_SOCK, defaults to a new random ID if not set (only used for browser IDEs)
 	StrictHostKeyChecking       bool              `json:"strictHostKeyChecking,omitempty"`
+	DisableSELinuxFlag          bool              `json:"disableSELinuxFlag,omitempty"`
 
 	// build options
 	Repository string   `json:"repository,omitempty"`