[PATCH] fedora: Hide restorecon(8) errors in post-transaction scriptlet

[PATCH] fedora: Hide restorecon(8) errors in post-transaction scriptlet

[Stefano Brivio]

Commit e01932353869 ("fedora: Separately restore context for /run/user
in %posttrans selinux") added a call to restorecon for /run/user in
the passt-selinux post-transaction scriptlet, and we can't give a path
that's more specific than that, but it often contains FUSE mountpoints
that are not accessible as root, resulting in warnings as the package
is installed.

Hide the errors, a failure in relabeling wouldn't be really
problematic in any case.

Link: https://bodhi.fedoraproject.org/updates/FEDORA-2025-f454466bb6
Link: https://bugzilla.redhat.com/show_bug.cgi?id=2371159
Fixes: e01932353869 ("fedora: Separately restore context for /run/user in %posttrans selinux")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
 contrib/fedora/passt.spec | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/contrib/fedora/passt.spec b/contrib/fedora/passt.spec
index e52f50f..663289f 100644
--- a/contrib/fedora/passt.spec
+++ b/contrib/fedora/passt.spec
@@ -107,8 +107,13 @@ fi
 # (see selabel_file(5)) in order to restore only the file contexts which
 # actually changed. However, as file_contexts doesn't support %{USERID}
 # substitutions, this will not work for specific file contexts that pasta needs
-# to have under /run/user. Restore those explicitly.
-restorecon -R /run/user
+# to have under /run/user.
+#
+# Restore those explicitly, hiding errors from restorecon(8): we can't pass a
+# path that's more specific than this, but at the same time /run/user often
+# contains FUSE mountpoints that can't be accessed as root, leading to
+# "Permission denied" messages, but not failures.
+restorecon -R /run/user 2>/dev/null
 
 %files
 %license LICENSES/{GPL-2.0-or-later.txt,BSD-3-Clause.txt}
-- 
@@ -107,8 +107,13 @@ fi
 # (see selabel_file(5)) in order to restore only the file contexts which
 # actually changed. However, as file_contexts doesn't support %{USERID}
 # substitutions, this will not work for specific file contexts that pasta needs
-# to have under /run/user. Restore those explicitly.
-restorecon -R /run/user
+# to have under /run/user.
+#
+# Restore those explicitly, hiding errors from restorecon(8): we can't pass a
+# path that's more specific than this, but at the same time /run/user often
+# contains FUSE mountpoints that can't be accessed as root, leading to
+# "Permission denied" messages, but not failures.
+restorecon -R /run/user 2>/dev/null
 
 %files
 %license LICENSES/{GPL-2.0-or-later.txt,BSD-3-Clause.txt}
-- 
2.43.0

Re: [PATCH] fedora: Hide restorecon(8) errors in post-transaction scriptlet

[Max Chernoff]

Hi Stefano,

On Tue, 2025-06-10 at 17:11 +0200, Stefano Brivio wrote:
> Commit e01932353869 ("fedora: Separately restore context for /run/user
> in %posttrans selinux") added a call to restorecon for /run/user in
> the passt-selinux post-transaction scriptlet, and we can't give a path
> that's more specific than that, but it often contains FUSE mountpoints
> that are not accessible as root, resulting in warnings as the package
> is installed.
>
> Hide the errors, a failure in relabeling wouldn't be really
> problematic in any case.

I've tested installing an RPM built with both "fedora: Hide restorecon"
and "fedora: Add container-selinux" applied, and can confirm that both
are working as expected.

Thanks,
-- Max