From 6eed5da7e5213bc6b72a369207e113f584f645c2 Mon Sep 17 00:00:00 2001
From: Charlie Savage <cfis@savagexi.com>
Date: Thu, 30 Apr 2026 20:43:55 -0700
Subject: [PATCH] fix: add ",z" SELinux relabel to CA cert bind mounts

---
 src/container/index.ts | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/container/index.ts b/src/container/index.ts
index 5d5a164..6f7bd38 100644
--- a/src/container/index.ts
+++ b/src/container/index.ts
@@ -133,11 +133,13 @@ export class ContainerClient {
       args.push("-e", `${key}=${value}`);
     }
 
-    // Write CA certificate to host temp file and mount into container
+    // Write CA certificate to host temp file and mount into container.
+    // `,z` is a shared SELinux relabel so the container can read the cert
+    // on enforcing systems (Fedora + podman). No-op on non-SELinux hosts.
     const hostCaPath = writeCaCertificate(config.caCertificate);
     args.push(
       "-v",
-      `${hostCaPath}:${config.caCertificateContainerPath}:ro`,
+      `${hostCaPath}:${config.caCertificateContainerPath}:ro,z`,
     );
 
     // Build combined CA bundle for system-wide trust (curl, Python, Go, etc.)
@@ -147,7 +149,7 @@ export class ContainerClient {
         args.push("-e", "SSL_CERT_FILE=/tmp/onecli-combined-ca.pem");
         // DENO_CERT: Deno does not respect SSL_CERT_FILE, it has its own env var
         args.push("-e", "DENO_CERT=/tmp/onecli-combined-ca.pem");
-        args.push("-v", `${combinedPath}:/tmp/onecli-combined-ca.pem:ro`);
+        args.push("-v", `${combinedPath}:/tmp/onecli-combined-ca.pem:ro,z`);
       }
     }