Podman may also use directories under /tmp if XDG_RUNTIME_DIR is not
defined. Make sure the policy defined the right context for them as
well.
Link: https://github.com/containers/podman/issues/26473
Link: https://bugzilla.redhat.com/show_bug.cgi?id=2373054
Signed-off-by: Paul Holzinger
---
contrib/selinux/pasta.fc | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/contrib/selinux/pasta.fc b/contrib/selinux/pasta.fc
index e4aefc4..c0f91df 100644
--- a/contrib/selinux/pasta.fc
+++ b/contrib/selinux/pasta.fc
@@ -14,3 +14,8 @@
/var/run/pasta\.pid system_u:object_r:pasta_pid_t:s0
/run/user/%{USERID}/netns system_u:object_r:ifconfig_var_run_t:s0
/run/user/%{USERID}/containers/networks/rootless-netns system_u:object_r:ifconfig_var_run_t:s0
+# In case XDG_RUNTIME_DIR is not set (i.e. no systemd user session) podman falls back to a location under /tmp
+/tmp/storage-run-%{USERID}/netns system_u:object_r:ifconfig_var_run_t:s0
+/tmp/storage-run-%{USERID}/containers/networks/rootless-netns system_u:object_r:ifconfig_var_run_t:s0
+/tmp/containers-user-%{USERID}/netns system_u:object_r:ifconfig_var_run_t:s0
+/tmp/containers-user-%{USERID}/containers/networks/rootless-netns system_u:object_r:ifconfig_var_run_t:s0
--
2.51.0