Bug Description
The container usage instructions in the README do not work on systems with SELinux enabled (Fedora, RHEL) when using rootless Podman.
Multiple issues prevent successful execution:
- volume mount permissions
- Git safe directory checks
- Write permission errors
To Reproduce
Steps to reproduce the behavior:
- Use Fedora or RHEL with SELinux enabled
- Run rootless Podman
- Follow the documented container instructions:
mkdir -p ~/agentready-reports
podman run --rm \
-v /tmp/agentready:/repo:ro \
-v ~/agentready-reports:/reports \
ghcr.io/ambient-code/agentready:latest \
assess /repo --output-dir /reports
- See errors (details below)
Expected Behavior
The container should successfully assess the repository and write reports to the output directory as documented.
Actual Behavior
Multiple errors occur in sequence when attempting to run the documented commands:
Error 1 - Volume not readable:
Error: Invalid value for '--output-dir' / '-o': Path '/reports' is not readable.
Error 2 - After adding :Z SELinux label:
Error: Invalid value for '[REPOSITORY]': Path '/repo' is not readable.
Error 3 - After fixing both volume labels:
Error during assessment: SHA is empty, possible dubious ownership in the repository at /repo.
Error 4 - After setting GIT_CONFIG environment variables:
PermissionError: [Errno 13] Permission denied: '/reports/assessment-20260330-125042.json'
Environment
- OS: Fedora 43 (Linux 6.19.8-200.fc43.x86_64)
- Container runtime: Podman (rootless)
- SELinux: Enforcing
- agentready version: latest (ghcr.io/ambient-code/agentready:latest)
Workaround
The following command works correctly:
podman run --rm \
--user $(id -u):$(id -g) \
--userns=keep-id \
-v $(pwd):/repo:ro,z \
-v ~/agentready-reports:/reports:Z \
ghcr.io/ambient-code/agentready:latest \
assess /repo --output-dir /reports
Key additions required:
--user $(id -u):$(id -g) - Run as current user--userns=keep-id - Preserve user namespace mapping for rootless Podman:z or :Z - SELinux volume labels (lowercase z for shared, uppercase Z for private)
Possible Solution
Update the container documentation to include:
- SELinux users (Fedora/RHEL/CentOS): Add
:Z labels to volume mounts
- Rootless Podman users: Add
--user and --userns=keep-id flags
- Provide separate examples for Docker vs Podman, or a "universal" command that works for both
Example updated documentation:
# For rootless Podman with SELinux (Fedora/RHEL):
podman run --rm \
--user $(id -u):$(id -g) \
--userns=keep-id \
-v /path/to/repo:/repo:ro,z \
-v ~/agentready-reports:/reports:Z \
ghcr.io/ambient-code/agentready:latest \
assess /repo --output-dir /reports
Bug Description
The container usage instructions in the README do not work on systems with SELinux enabled (Fedora, RHEL) when using rootless Podman.
Multiple issues prevent successful execution:
To Reproduce
Steps to reproduce the behavior:
Expected Behavior
The container should successfully assess the repository and write reports to the output directory as documented.
Actual Behavior
Multiple errors occur in sequence when attempting to run the documented commands:
Error 1 - Volume not readable:
Error 2 - After adding
:ZSELinux label:Error 3 - After fixing both volume labels:
Error 4 - After setting GIT_CONFIG environment variables:
Environment
Workaround
The following command works correctly:
Key additions required:
--user $(id -u):$(id -g)- Run as current user--userns=keep-id- Preserve user namespace mapping for rootless Podman:zor:Z- SELinux volume labels (lowercasezfor shared, uppercaseZfor private)Possible Solution
Update the container documentation to include:
:Zlabels to volume mounts--userand--userns=keep-idflagsExample updated documentation: