Re: [PATCH 2/2] selinux: add missing file contexts for Podman

On Wed, 17 Sep 2025 14:04:52 +0200 Paul Holzinger wrote:

Podman may also use directories under /tmp if XDG_RUNTIME_DIR is not defined. Make sure the policy defined the right context for them as well.

Link: https://github.com/containers/podman/issues/26473 Link: https://bugzilla.redhat.com/show_bug.cgi?id=2373054

Signed-off-by: Paul Holzinger --- contrib/selinux/pasta.fc | 5 +++++ 1 file changed, 5 insertions(+)

diff --git a/contrib/selinux/pasta.fc b/contrib/selinux/pasta.fc index e4aefc4..c0f91df 100644 --- a/contrib/selinux/pasta.fc +++ b/contrib/selinux/pasta.fc @@ -14,3 +14,8 @@ /var/run/pasta\.pid system_u:object_r:pasta_pid_t:s0 /run/user/%{USERID}/netns system_u:object_r:ifconfig_var_run_t:s0 /run/user/%{USERID}/containers/networks/rootless-netns system_u:object_r:ifconfig_var_run_t:s0 +# In case XDG_RUNTIME_DIR is not set (i.e. no systemd user session) podman falls back to a location under /tmp

Two more nits I can fix up on merge: - s/podman/Podman/ - we typically wrap those comments at 80 columns, where possible, like in every other source file in the project (see e.g. selinux/passt.te)

+/tmp/storage-run-%{USERID}/netns system_u:object_r:ifconfig_var_run_t:s0 +/tmp/storage-run-%{USERID}/containers/networks/rootless-netns system_u:object_r:ifconfig_var_run_t:s0 +/tmp/containers-user-%{USERID}/netns system_u:object_r:ifconfig_var_run_t:s0 +/tmp/containers-user-%{USERID}/containers/networks/rootless-netns system_u:object_r:ifconfig_var_run_t:s0

Everything else looks good to me, thanks for fixing this (...or so I hope!). -- Stefano