selinux: add container_var_run_t type transition

In some cases the podman runroot directory used to be labelled
container_var_run_t instead of user_tmp_t which was expected here.
Starting with a recent container-selinux change the runroot is now
always container_var_run_t so make the policy handle both types to allow
for a better upgrade path where passt-selinux and container-selinux are
not updated at the same time.

Link: https://github.com/containers/container-selinux/pull/405
Link: https://github.com/containers/podman/issues/26473
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
[sbrivio: minor style edits]
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>

1 files changed, 5 insertions, 0 deletions

diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te
index c0a1e9b..95fe42a 100644
--- a/contrib/selinux/pasta.te
+++ b/contrib/selinux/pasta.te
@@ -96,6 +96,7 @@ require {
 	role staff_r;
 	role user_r;
 	type container_runtime_t;
+	type container_var_run_t;
 	type container_t;
 	type systemd_user_runtimedir_t;
 }
@@ -242,8 +243,12 @@ type_transition container_runtime_t pasta_exec_t : process pasta_t;
 allow container_runtime_t pasta_t:process transition;
 
 # Label the user network namespace files
+# Note: Podman files used to be user_tmp_t but are now container_var_run_t since
+# https://github.com/containers/container-selinux/pull/405
 type_transition container_runtime_t user_tmp_t : dir ifconfig_var_run_t "netns";
+type_transition container_runtime_t container_var_run_t : dir ifconfig_var_run_t "netns";
 type_transition container_runtime_t user_tmp_t : dir ifconfig_var_run_t "rootless-netns";
+type_transition container_runtime_t container_var_run_t : dir ifconfig_var_run_t "rootless-netns";
 allow pasta_t ifconfig_var_run_t:dir { add_name open rmdir write };
 allow pasta_t ifconfig_var_run_t:file { create open write };
 allow systemd_user_runtimedir_t ifconfig_var_run_t:dir rmdir;