In some cases the podman runroot directory used to be labelled
container_var_run_t instead of user_tmp_t which was expected here.
Starting with a recent container-selinux change the runroot is now
always container_var_run_t so make the policy handle both types to allow
for a better upgrade path where passt-selinux and container-selinux are
not updated at the same time.
Link: https://github.com/containers/container-selinux/pull/405
Link: https://github.com/containers/podman/issues/26473
Signed-off-by: Paul Holzinger
---
contrib/selinux/pasta.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te
index c0a1e9b..24e58c8 100644
--- a/contrib/selinux/pasta.te
+++ b/contrib/selinux/pasta.te
@@ -96,6 +96,7 @@ require {
role staff_r;
role user_r;
type container_runtime_t;
+ type container_var_run_t;
type container_t;
type systemd_user_runtimedir_t;
}
@@ -242,8 +243,12 @@ type_transition container_runtime_t pasta_exec_t : process pasta_t;
allow container_runtime_t pasta_t:process transition;
# Label the user network namespace files
+# Note podman files used to be user_tmp_t but now are container_var_run_t since
+# https://github.com/containers/container-selinux/issues/404.
type_transition container_runtime_t user_tmp_t : dir ifconfig_var_run_t "netns";
+type_transition container_runtime_t container_var_run_t : dir ifconfig_var_run_t "netns";
type_transition container_runtime_t user_tmp_t : dir ifconfig_var_run_t "rootless-netns";
+type_transition container_runtime_t container_var_run_t : dir ifconfig_var_run_t "rootless-netns";
allow pasta_t ifconfig_var_run_t:dir { add_name open rmdir write };
allow pasta_t ifconfig_var_run_t:file { create open write };
allow systemd_user_runtimedir_t ifconfig_var_run_t:dir rmdir;
--
2.51.0