From c66be2c2a0d4448623a32211222c5abf2e6aa7f4 Mon Sep 17 00:00:00 2001
From: Paul Holzinger <pholzing@redhat.com>
Date: Wed, 17 Sep 2025 14:04:52 +0200
Subject: selinux: add missing file contexts for Podman

Podman may also use directories under /tmp if XDG_RUNTIME_DIR is not
defined. Make sure the policy defined the right context for them as
well.

Link: https://github.com/containers/podman/issues/26473
Link: https://bugzilla.redhat.com/show_bug.cgi?id=2373054
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
[sbrivio: minor style fixes]
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
 contrib/selinux/pasta.fc | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/contrib/selinux/pasta.fc b/contrib/selinux/pasta.fc
index e4aefc4..e60c614 100644
--- a/contrib/selinux/pasta.fc
+++ b/contrib/selinux/pasta.fc
@@ -14,3 +14,9 @@
 /var/run/pasta\.pid					system_u:object_r:pasta_pid_t:s0
 /run/user/%{USERID}/netns				system_u:object_r:ifconfig_var_run_t:s0
 /run/user/%{USERID}/containers/networks/rootless-netns	system_u:object_r:ifconfig_var_run_t:s0
+# In case XDG_RUNTIME_DIR is not set (i.e. no systemd user session) Podman falls
+# back to a location under /tmp
+/tmp/storage-run-%{USERID}/netns					system_u:object_r:ifconfig_var_run_t:s0
+/tmp/storage-run-%{USERID}/containers/networks/rootless-netns		system_u:object_r:ifconfig_var_run_t:s0
+/tmp/containers-user-%{USERID}/netns					system_u:object_r:ifconfig_var_run_t:s0
+/tmp/containers-user-%{USERID}/containers/networks/rootless-netns	system_u:object_r:ifconfig_var_run_t:s0
-- 
cgit v1.2.3