`graph --drawio --drawio-args "-I"` fails on Podman/SELinux with `Permission denied: 'mcfab.clab.yml'`

[Dave-Mack]

Describe the bug

On Oracle Linux 9 (SELinux enforcing) with Podman runtime, running containerlab graph in interactive draw.io mode fails to read the topology file from inside clab-io-draw container.

Command:

sudo /opt/containerlab/clab-wrapper.sh graph -r podman --drawio --drawio-args "-I" -t /home/<user>/<path>/mcfab.clab.yml

Error:

An error occurred while loading the config: [Errno 13] Permission denied: 'mcfab.clab.yml'
Failed to load topology. Exiting.
Clab-Io-Draw container exited with code 1.

Environment

• OS: Oracle Linux 9
• SELinux: Enforcing
• Runtime: Podman
• containerlab invoked via wrapper:
  • /opt/containerlab/clab-wrapper.sh -> sudo /etc/containerlab/containerlab

What I tested

• File permissions are world-readable (-rwxrwxrwx), so not standard UNIX perms.

• Manual podman bind mount without relabel fails to read file.

• Same mount with SELinux relabel (:Z) succeeds.

• Relabeling workspace to container_file_t:s0 helps non-interactive drawio.

• Non-interactive command works:

  sudo /opt/containerlab/clab-wrapper.sh graph -r podman --drawio -t /home/<user>/<path>/mcfab.clab.yml

• Interactive mode (--drawio-args "-I") still problematic in this environment.

Expected behavior

containerlab graph --drawio --drawio-args "-I" should work on Podman+SELinux systems without manual relabel tuning.

Suggestion

Consider Podman/SELinux-aware bind handling for clab-io-draw (e.g., mount relabel semantics) and/or documenting required SELinux labels for interactive drawio mode.