[PATCH 1/2] selinux: add container_var_run_t type transition

Paul Holzinger

17 Sep 2025 17 Sep '25

2:04 p.m.

In some cases the podman runroot directory used to be labelled container_var_run_t instead of user_tmp_t which was expected here. Starting with a recent container-selinux change the runroot is now always container_var_run_t so make the policy handle both types to allow for a better upgrade path where passt-selinux and container-selinux are not updated at the same time. Link: https://github.com/containers/container-selinux/pull/405 Link: https://github.com/containers/podman/issues/26473 Signed-off-by: Paul Holzinger --- contrib/selinux/pasta.te | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te index c0a1e9b..24e58c8 100644 --- a/contrib/selinux/pasta.te +++ b/contrib/selinux/pasta.te @@ -96,6 +96,7 @@ require { role staff_r; role user_r; type container_runtime_t; + type container_var_run_t; type container_t; type systemd_user_runtimedir_t; } @@ -242,8 +243,12 @@ type_transition container_runtime_t pasta_exec_t : process pasta_t; allow container_runtime_t pasta_t:process transition; # Label the user network namespace files +# Note podman files used to be user_tmp_t but now are container_var_run_t since +# https://github.com/containers/container-selinux/issues/404. type_transition container_runtime_t user_tmp_t : dir ifconfig_var_run_t "netns"; +type_transition container_runtime_t container_var_run_t : dir ifconfig_var_run_t "netns"; type_transition container_runtime_t user_tmp_t : dir ifconfig_var_run_t "rootless-netns"; +type_transition container_runtime_t container_var_run_t : dir ifconfig_var_run_t "rootless-netns"; allow pasta_t ifconfig_var_run_t:dir { add_name open rmdir write }; allow pasta_t ifconfig_var_run_t:file { create open write }; allow systemd_user_runtimedir_t ifconfig_var_run_t:dir rmdir; -- 2.51.0

Show replies by date

Paul Holzinger

17 Sep 17 Sep

2:04 p.m.

New subject: [PATCH 2/2] selinux: add missing file contexts for Podman

Podman may also use directories under /tmp if XDG_RUNTIME_DIR is not defined. Make sure the policy defined the right context for them as well. Link: https://github.com/containers/podman/issues/26473 Link: https://bugzilla.redhat.com/show_bug.cgi?id=2373054 Signed-off-by: Paul Holzinger --- contrib/selinux/pasta.fc | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/contrib/selinux/pasta.fc b/contrib/selinux/pasta.fc index e4aefc4..c0f91df 100644 --- a/contrib/selinux/pasta.fc +++ b/contrib/selinux/pasta.fc @@ -14,3 +14,8 @@ /var/run/pasta\.pid system_u:object_r:pasta_pid_t:s0 /run/user/%{USERID}/netns system_u:object_r:ifconfig_var_run_t:s0 /run/user/%{USERID}/containers/networks/rootless-netns system_u:object_r:ifconfig_var_run_t:s0 +# In case XDG_RUNTIME_DIR is not set (i.e. no systemd user session) podman falls back to a location under /tmp +/tmp/storage-run-%{USERID}/netns system_u:object_r:ifconfig_var_run_t:s0 +/tmp/storage-run-%{USERID}/containers/networks/rootless-netns system_u:object_r:ifconfig_var_run_t:s0 +/tmp/containers-user-%{USERID}/netns system_u:object_r:ifconfig_var_run_t:s0 +/tmp/containers-user-%{USERID}/containers/networks/rootless-netns system_u:object_r:ifconfig_var_run_t:s0 -- 2.51.0

Stefano Brivio

5:05 p.m.

New subject: [PATCH 2/2] selinux: add missing file contexts for Podman

On Wed, 17 Sep 2025 14:04:52 +0200 Paul Holzinger wrote:

...

Podman may also use directories under /tmp if XDG_RUNTIME_DIR is not defined. Make sure the policy defined the right context for them as well.

Link: https://github.com/containers/podman/issues/26473 Link: https://bugzilla.redhat.com/show_bug.cgi?id=2373054

Signed-off-by: Paul Holzinger --- contrib/selinux/pasta.fc | 5 +++++ 1 file changed, 5 insertions(+)

diff --git a/contrib/selinux/pasta.fc b/contrib/selinux/pasta.fc index e4aefc4..c0f91df 100644 --- a/contrib/selinux/pasta.fc +++ b/contrib/selinux/pasta.fc @@ -14,3 +14,8 @@ /var/run/pasta\.pid system_u:object_r:pasta_pid_t:s0 /run/user/%{USERID}/netns system_u:object_r:ifconfig_var_run_t:s0 /run/user/%{USERID}/containers/networks/rootless-netns system_u:object_r:ifconfig_var_run_t:s0 +# In case XDG_RUNTIME_DIR is not set (i.e. no systemd user session) podman falls back to a location under /tmp

Two more nits I can fix up on merge: - s/podman/Podman/ - we typically wrap those comments at 80 columns, where possible, like in every other source file in the project (see e.g. selinux/passt.te)

...

+/tmp/storage-run-%{USERID}/netns system_u:object_r:ifconfig_var_run_t:s0 +/tmp/storage-run-%{USERID}/containers/networks/rootless-netns system_u:object_r:ifconfig_var_run_t:s0 +/tmp/containers-user-%{USERID}/netns system_u:object_r:ifconfig_var_run_t:s0 +/tmp/containers-user-%{USERID}/containers/networks/rootless-netns system_u:object_r:ifconfig_var_run_t:s0

Everything else looks good to me, thanks for fixing this (...or so I hope!). -- Stefano

Stefano Brivio

5:05 p.m.

On Wed, 17 Sep 2025 14:04:50 +0200 Paul Holzinger wrote:

...

In some cases the podman runroot directory used to be labelled container_var_run_t instead of user_tmp_t which was expected here. Starting with a recent container-selinux change the runroot is now always container_var_run_t so make the policy handle both types to allow for a better upgrade path where passt-selinux and container-selinux are not updated at the same time.

Link: https://github.com/containers/container-selinux/pull/405

Even if I just proposed a revert for this one: https://github.com/containers/container-selinux/pull/405

...

Link: https://github.com/containers/podman/issues/26473

it's still good to have this other issue fixed. Even though I'm not sure adding more and more labels to pasta's policy is the way to go, Podman issue #26473 has been open for way too long, so let's be pragmatic here at the slight expense of keeping profiles tight. Just a couple of nits (I can fix it all up on merge if you're fine with it, no need to re-post):

...

Signed-off-by: Paul Holzinger --- contrib/selinux/pasta.te | 5 +++++ 1 file changed, 5 insertions(+)

diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te index c0a1e9b..24e58c8 100644 --- a/contrib/selinux/pasta.te +++ b/contrib/selinux/pasta.te @@ -96,6 +96,7 @@ require { role staff_r; role user_r; type container_runtime_t; + type container_var_run_t; type container_t; type systemd_user_runtimedir_t; } @@ -242,8 +243,12 @@ type_transition container_runtime_t pasta_exec_t : process pasta_t; allow container_runtime_t pasta_t:process transition;

# Label the user network namespace files +# Note podman files used to be user_tmp_t but now are container_var_run_t since

s/podman/Podman/

...

+# https://github.com/containers/container-selinux/issues/404.

I'd drop the . at the end because some URL parsers might miss the fact that it's not part of the URL, and require additional intervention once you press enter / click on the link.

...

type_transition container_runtime_t user_tmp_t : dir ifconfig_var_run_t "netns"; +type_transition container_runtime_t container_var_run_t : dir ifconfig_var_run_t "netns"; type_transition container_runtime_t user_tmp_t : dir ifconfig_var_run_t "rootless-netns"; +type_transition container_runtime_t container_var_run_t : dir ifconfig_var_run_t "rootless-netns"; allow pasta_t ifconfig_var_run_t:dir { add_name open rmdir write }; allow pasta_t ifconfig_var_run_t:file { create open write }; allow systemd_user_runtimedir_t ifconfig_var_run_t:dir rmdir;

-- Stefano

Paul Holzinger

5:54 p.m.

On 17/09/2025 17:05, Stefano Brivio wrote:

...

On Wed, 17 Sep 2025 14:04:50 +0200 Paul Holzinger wrote:

...
In some cases the podman runroot directory used to be labelled container_var_run_t instead of user_tmp_t which was expected here. Starting with a recent container-selinux change the runroot is now always container_var_run_t so make the policy handle both types to allow for a better upgrade path where passt-selinux and container-selinux are not updated at the same time.

Link: https://github.com/containers/container-selinux/pull/405 Even if I just proposed a revert for this one:

https://github.com/containers/container-selinux/pull/405

...
Link: https://github.com/containers/podman/issues/26473 it's still good to have this other issue fixed. Even though I'm not sure adding more and more labels to pasta's policy is the way to go, Podman issue #26473 has been open for way too long, so let's be pragmatic here at the slight expense of keeping profiles tight.

Just a couple of nits (I can fix it all up on merge if you're fine with it, no need to re-post): yes please fix them, just note the one comment on the different link below

...
Signed-off-by: Paul Holzinger --- contrib/selinux/pasta.te | 5 +++++ 1 file changed, 5 insertions(+)

diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te index c0a1e9b..24e58c8 100644 --- a/contrib/selinux/pasta.te +++ b/contrib/selinux/pasta.te @@ -96,6 +96,7 @@ require { role staff_r; role user_r; type container_runtime_t; + type container_var_run_t; type container_t; type systemd_user_runtimedir_t; } @@ -242,8 +243,12 @@ type_transition container_runtime_t pasta_exec_t : process pasta_t; allow container_runtime_t pasta_t:process transition;

# Label the user network namespace files +# Note podman files used to be user_tmp_t but now are container_var_run_t since s/podman/Podman/

...
+# https://github.com/containers/container-selinux/issues/404. I'd drop the . at the end because some URL parsers might miss the fact that it's not part of the URL, and require additional intervention once you press enter / click on the link.

Sure, but actually that should link https://github.com/containers/container-selinux/pull/405 instead. The issue doesn't really have a meaningful context for pasta.

...

...
type_transition container_runtime_t user_tmp_t : dir ifconfig_var_run_t "netns"; +type_transition container_runtime_t container_var_run_t : dir ifconfig_var_run_t "netns"; type_transition container_runtime_t user_tmp_t : dir ifconfig_var_run_t "rootless-netns"; +type_transition container_runtime_t container_var_run_t : dir ifconfig_var_run_t "rootless-netns"; allow pasta_t ifconfig_var_run_t:dir { add_name open rmdir write }; allow pasta_t ifconfig_var_run_t:file { create open write }; allow systemd_user_runtimedir_t ifconfig_var_run_t:dir rmdir;

-- Paul Holzinger

Age (days ago)

Last active (days ago)

List overview

Download

4 comments

2 participants

participants (2)

Paul Holzinger
Stefano Brivio