selinux: add missing file contexts for Podman

Podman may also use directories under /tmp if XDG_RUNTIME_DIR is not
defined. Make sure the policy defined the right context for them as
well.

Link: https://github.com/containers/podman/issues/26473
Link: https://bugzilla.redhat.com/show_bug.cgi?id=2373054
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
[sbrivio: minor style fixes]
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>

1 files changed, 6 insertions, 0 deletions

diff --git a/contrib/selinux/pasta.fc b/contrib/selinux/pasta.fc
index e4aefc4..e60c614 100644
--- a/contrib/selinux/pasta.fc
+++ b/contrib/selinux/pasta.fc
@@ -14,3 +14,9 @@
 /var/run/pasta\.pid					system_u:object_r:pasta_pid_t:s0
 /run/user/%{USERID}/netns				system_u:object_r:ifconfig_var_run_t:s0
 /run/user/%{USERID}/containers/networks/rootless-netns	system_u:object_r:ifconfig_var_run_t:s0
+# In case XDG_RUNTIME_DIR is not set (i.e. no systemd user session) Podman falls
+# back to a location under /tmp
+/tmp/storage-run-%{USERID}/netns					system_u:object_r:ifconfig_var_run_t:s0
+/tmp/storage-run-%{USERID}/containers/networks/rootless-netns		system_u:object_r:ifconfig_var_run_t:s0
+/tmp/containers-user-%{USERID}/netns					system_u:object_r:ifconfig_var_run_t:s0
+/tmp/containers-user-%{USERID}/containers/networks/rootless-netns	system_u:object_r:ifconfig_var_run_t:s0