Podman: SELinux detection fails when VS Code runs inside Flatpak (label=disable needed)

[ibaidev]

Description

When using VS Code with Podman + SELinux, VS Code currently detects an SELinux-enabled environment by calling getenforce and checking .Host.Security.SELinuxEnabled. If VS Code is running inside a Flatpak, getenforce inside the Flatpak returns "Disabled" even though the host is "Enforcing". That makes VS Code think SELinux is not enabled and it does not pass label=disable, causing permission/SELinux denial issues when building containers with features. If I manually make getenforce return "Enforcing" inside the Flatpak, detection succeeds and the container build works.

Environment

• Host OS: Fedora (or another SELinux‑enforcing distribution).
• VS Code as Flatpak: com.visualstudio.code + com.visualstudio.code.tool.podman.
• Podman version: 5.6.1
• VS Code version: 1.102.1

Steps to reproduce

1. Click "Dev Containers: Reopen in Container" from VS Code.

Actual behavior

• Inside a Flatpak sandbox, getenforce reports Disabled and detection fails, so label=disable is not set and builds fail.

Expected behavior

• VS Code should correctly detect the host SELinux state when running inside Flatpak sandboxes and pass label=disable when necessary to avoid SELinux denial issues with Podman.

Suggested fixes / discussion

• Consider additional detection strategies when running inside Flatpak.

[Kaniska244]

Hello @ibaidev ,

Thank you for reporting this issue. From the description it doesn't appear to be an issue with dev containers as such. Appears to be specific to Visual Studio Code. Would you kindly report this issue with VSCode?
Otherwise if this turns out to be an issue with dev containers, then kindly provide dev container log and the configuration details such as the devcontainer.json for the same to investigate this further.

[ibaidev]

Hi @Kaniska244,

Thank you for your response.

I dug into the code and I believe the root cause is in this repo.

I inspected the change in #1045 and realized that in src/spec-node/containerFeatures.ts the SELinux-label decision (isUsingSELinuxLabels) requires both:

• getenforce !== "Disabled"
• podman to report .Host.Security.SELinuxEnabled === true

Inside a Flatpak, .Host.Security.SELinuxEnabled is true but getenforce returns Disabled, so the combined check prevents setting label=disable and the build fails. If I make getenforce return Enforcing inside the Flatpak, detection succeeds and the feature build works.

Possible options to fix this:

1. Remove the getenforce check entirely.
2. Keep both checks but add a Flatpak-aware exception: when running inside Flatpak, trust podman .Host.Security.SELinuxEnabled and skip the getenforce check. This targets the real-world cause (getenforce inside Flatpak is not representative) while minimizing side effects.
3. Add a best-effort fallback: if .Host.Security.SELinuxEnabled === true OR getenforce === "Enforcing", enable label=disable.

Maybe @chrmarti can guide us on this issue.

Regards,