The previous change introduces specific file contexts for
/run/user/%{USERID}/netns and
/run/user/%{USERID}/containers/networks/rootless-netns, but
%selinux_relabel_post can't handle that, see comments for more
details.
Add a separate restorecon(8) call for /run/user in the
post-transaction scriptlet for the SELinux subpackage.
Reported-by: Max Chernoff
Link: https://bugs.passt.top/show_bug.cgi?id=81
Link: https://github.com/containers/podman/discussions/26100#discussioncomment-130...
Signed-off-by: Stefano Brivio
---
This should be applied on top of Max's:
[PATCH v3 1/1] selinux: Transition to pasta_t in containers
contrib/fedora/passt.spec | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/contrib/fedora/passt.spec b/contrib/fedora/passt.spec
index 745cf01..5aaf7ac 100644
--- a/contrib/fedora/passt.spec
+++ b/contrib/fedora/passt.spec
@@ -102,6 +102,12 @@ fi
%posttrans selinux
%selinux_relabel_post -s %{selinuxtype}
+# %selinux_relabel_post calls fixfiles(8) with the previous file_contexts file
+# (see selabel_file(5)) in order to restore only the file contexts which
+# actually changed. However, as file_contexts doesn't support %{USERID}
+# substitutions, this will not work for specific file contexts that pasta needs
+# to have under /run/user. Restore those explicitly.
+restorecon -R /run/user
%files
%license LICENSES/{GPL-2.0-or-later.txt,BSD-3-Clause.txt}
--
2.43.0