fedora: Separately restore context for /run/user in %posttrans selinux

The previous change introduces specific file contexts for
/run/user/%{USERID}/netns and
/run/user/%{USERID}/containers/networks/rootless-netns, but
%selinux_relabel_post can't handle that, see comments for more
details.

Add a separate restorecon(8) call for /run/user as post-transaction
scriptlet for the SELinux subpackage.

Reported-by: Max Chernoff <git@maxchernoff.ca>
Link: https://bugs.passt.top/show_bug.cgi?id=81
Link: https://github.com/containers/podman/discussions/26100#discussioncomment-13088518
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Tested-by: Max Chernoff <git@maxchernoff.ca>

1 files changed, 6 insertions, 0 deletions

diff --git a/contrib/fedora/passt.spec b/contrib/fedora/passt.spec
index 745cf01..5aaf7ac 100644
--- a/contrib/fedora/passt.spec
+++ b/contrib/fedora/passt.spec
@@ -102,6 +102,12 @@ fi
 
 %posttrans selinux
 %selinux_relabel_post -s %{selinuxtype}
+# %selinux_relabel_post calls fixfiles(8) with the previous file_contexts file
+# (see selabel_file(5)) in order to restore only the file contexts which
+# actually changed. However, as file_contexts doesn't support %{USERID}
+# substitutions, this will not work for specific file contexts that pasta needs
+# to have under /run/user. Restore those explicitly.
+restorecon -R /run/user
 
 %files
 %license LICENSES/{GPL-2.0-or-later.txt,BSD-3-Clause.txt}