From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=pass (p=quarantine dis=none) header.from=redhat.com
Authentication-Results: passt.top;
	dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=J9G3VHbb;
	dkim-atps=neutral
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	by passt.top (Postfix) with ESMTPS id 31A7F5A08B5
	for <passt-dev@passt.top>; Wed, 17 Sep 2025 17:05:35 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1758121534;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=z1XEFlWyNGpELRWdhlbQiRE7COUvuBH1EIf574MSQ1Q=;
	b=J9G3VHbbnrTzRzP76kU5/6ls7RticsrZTjPuzO+qXkS+fk97isG4HkapZK7rAUIYIf+vXs
	tfm8bqU4hTBtOKM11Z9lxtfncSlnD0e/a34BykQU+taGYOCaLMDlgLrTWfwf74ZK7l2UQF
	rSa6MENFgGiKvhjKLPJ4qH1Iyw4w3uY=
Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com
 [209.85.128.69]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-602-P9F0ZN93Nn-W4IBlHQJi9g-1; Wed, 17 Sep 2025 11:05:30 -0400
X-MC-Unique: P9F0ZN93Nn-W4IBlHQJi9g-1
X-Mimecast-MFC-AGG-ID: P9F0ZN93Nn-W4IBlHQJi9g_1758121529
Received: by mail-wm1-f69.google.com with SMTP id 5b1f17b1804b1-45e05ff0b36so4940695e9.0
        for <passt-dev@passt.top>; Wed, 17 Sep 2025 08:05:30 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1758121529; x=1758726329;
        h=content-transfer-encoding:mime-version:organization:references
         :in-reply-to:message-id:subject:cc:to:from:date:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=z1XEFlWyNGpELRWdhlbQiRE7COUvuBH1EIf574MSQ1Q=;
        b=NCNysrGpP2ULQt5Nitvqn5N2fplLDnok98V90Bvljsy29rQx2BLz3d+Qk9CRXOZUI9
         KiJhmn4CTJRIFpo+bJm60wWblyOjkIkThqHmmsveUJnk+0PEwZe/U46H9geI8i40aC7O
         FsrcTsQdSpO9lh5QVg5TX57JGvmhklz0sO8ghnSMdMvB9MoQWVjiNRD0xX58Saoop0Ii
         SOCWsaBNjNc5v3VeFf70IQqv60k0mL3JH+t5Qs5HfnKKonWDSyyog3uyXe4UJkejqg22
         mRUb56kBvZoEjBAfJ+V6OxxVToYzRTrkd0syNw5kTMeSUPwFWP3HWHerht8JBETQbEPA
         v5Tg==
X-Gm-Message-State: AOJu0Yyub2xsNpjkMfnfweVQQ4R3bB168xslPOT9IbHYDoq7dUcjpcvH
	lfGUK89IDo4MzCTMeZbUKlvPqrKFrD17pa8y27vEr+0Pj1rvjUHjItFeJ1eakJICfzXy8oFFY/J
	B4v4jZk/2EFJVV2E1WLQPGBUinngx9ZQtHSfuYeFRkXfo37wWo+oi9w==
X-Gm-Gg: ASbGncuu/1Ab0oyar9wiP62jzfyAZePJ1cKDGp+5CZ0ieC3npq7zTOvQiIA5rFZ8+UH
	a1P+VuxR6utma/mYcpKZ9qFFSm1tn9jAKyxyMDo2K2KUXx2thhqT4RTUh66n+qh/iMRiej3ryWW
	usKocgB4LK8jQibMCba3Ft4lZE2ACVzu74u1LiG4xf7R85YW7vohlDP9WJVzlB00Hsl9S1Wi/MU
	F1h5u3OMH9krVXKHcnj0+fNkNixY/rh1+mB6xeMgqaFtpSEUQVtjd7pVH5KL/Fwe6AlBSd0tzD8
	mIiNrQl0JYtZ7TyoiQQLKEMa58rnvF67hWSiLg8nIQh+kee1gkwmYAnUCzrGQaZ2A4wD
X-Received: by 2002:a05:6000:2305:b0:3e8:2c9a:5fd9 with SMTP id ffacd0b85a97d-3ec9fad10b8mr6010591f8f.21.1758121529303;
        Wed, 17 Sep 2025 08:05:29 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IGwBaGbRkliYjP2TMNJht4mMt6+nKMglDmmEdV6dxHCtx4+O0G2dU0XYTibpx16I29+dNdmUw==
X-Received: by 2002:a05:6000:2305:b0:3e8:2c9a:5fd9 with SMTP id ffacd0b85a97d-3ec9fad10b8mr6010541f8f.21.1758121528602;
        Wed, 17 Sep 2025 08:05:28 -0700 (PDT)
Received: from maya.myfinge.rs (ifcgrfdd.trafficplex.cloud. [176.103.220.4])
        by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-3e9cf04db65sm15056896f8f.3.2025.09.17.08.05.27
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 17 Sep 2025 08:05:27 -0700 (PDT)
Date: Wed, 17 Sep 2025 17:05:26 +0200
From: Stefano Brivio <sbrivio@redhat.com>
To: Paul Holzinger <pholzing@redhat.com>
Subject: Re: [PATCH 2/2] selinux: add missing file contexts for Podman
Message-ID: <20250917170526.588371bf@elisabeth>
In-Reply-To: <20250917120450.36181-4-pholzing@redhat.com>
References: <20250917120450.36181-2-pholzing@redhat.com>
	<20250917120450.36181-4-pholzing@redhat.com>
Organization: Red Hat
X-Mailer: Claws Mail 4.2.0 (GTK 3.24.49; x86_64-pc-linux-gnu)
MIME-Version: 1.0
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: 09Fe67OTlkwW9R1fZTM75wBI5yvvZkVJtY3BH6Qoqwg_1758121529
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-ID-Hash: HU22MBOES44EOKOHKGRRLM3XRXJ4FRKB
X-Message-ID-Hash: HU22MBOES44EOKOHKGRRLM3XRXJ4FRKB
X-MailFrom: sbrivio@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: passt-dev@passt.top, Max Chernoff <git@maxchernoff.ca>, Giuseppe Scrivano <gscrivan@redhat.com>, Lokesh Mandvekar <lmandvek@redhat.com>, Dan Walsh <dwalsh@redhat.com>
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/20250917170526.588371bf@elisabeth/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/HU22MBOES44EOKOHKGRRLM3XRXJ4FRKB/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

On Wed, 17 Sep 2025 14:04:52 +0200
Paul Holzinger <pholzing@redhat.com> wrote:

> Podman may also use directories under /tmp if XDG_RUNTIME_DIR is not
> defined. Make sure the policy defined the right context for them as
> well.
> 
> Link: https://github.com/containers/podman/issues/26473
> Link: https://bugzilla.redhat.com/show_bug.cgi?id=2373054
> 
> Signed-off-by: Paul Holzinger <pholzing@redhat.com>
> ---
>  contrib/selinux/pasta.fc | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/contrib/selinux/pasta.fc b/contrib/selinux/pasta.fc
> index e4aefc4..c0f91df 100644
> --- a/contrib/selinux/pasta.fc
> +++ b/contrib/selinux/pasta.fc
> @@ -14,3 +14,8 @@
>  /var/run/pasta\.pid					system_u:object_r:pasta_pid_t:s0
>  /run/user/%{USERID}/netns				system_u:object_r:ifconfig_var_run_t:s0
>  /run/user/%{USERID}/containers/networks/rootless-netns	system_u:object_r:ifconfig_var_run_t:s0
> +# In case XDG_RUNTIME_DIR is not set (i.e. no systemd user session) podman falls back to a location under /tmp

Two more nits I can fix up on merge:

- s/podman/Podman/

- we typically wrap those comments at 80 columns, where possible, like
  in every other source file in the project (see e.g. selinux/passt.te)

> +/tmp/storage-run-%{USERID}/netns									system_u:object_r:ifconfig_var_run_t:s0
> +/tmp/storage-run-%{USERID}/containers/networks/rootless-netns		system_u:object_r:ifconfig_var_run_t:s0
> +/tmp/containers-user-%{USERID}/netns								system_u:object_r:ifconfig_var_run_t:s0
> +/tmp/containers-user-%{USERID}/containers/networks/rootless-netns	system_u:object_r:ifconfig_var_run_t:s0

Everything else looks good to me, thanks for fixing this (...or so I
hope!).

-- 
Stefano