Revert "container: label /run/user/*/crun as container_var_run_t"

sbrivio-rh · lsm5 · commit ed9b82745347 · 2025-09-17T11:24:29.000-04:00
This reverts commit ae3532b ("container: label /run/user/*/crun as container_var_run_t") as it breaks basic Podman operation with pasta(1) (default rootless back-end): Error: setting up Pasta: pasta failed with exit code 1: Couldn't open PID file /run/user/1000/containers/networks/rootless-netns/rootless-netns-conn.pid: Permission denied A solution is being worked on, but it's not quite ready yet, see: #405 in the meantime, revert this to avoid widespread breakage for users. Link: #405 Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
diff --git a/container.te b/container.te
@@ -322,7 +322,6 @@ manage_sock_files_pattern(container_runtime_domain, container_var_run_t, contain
 manage_lnk_files_pattern(container_runtime_domain, container_var_run_t, container_var_run_t)
 files_pid_filetrans(container_runtime_domain, container_var_run_t, { dir file lnk_file sock_file })
 files_tmp_filetrans(container_runtime_domain, container_var_run_t, { dir file lnk_file sock_file })
-userdom_user_tmp_filetrans(container_runtime_domain, container_var_run_t, { dir file lnk_file sock_file })
 allow container_runtime_domain container_var_run_t:dir_file_class_set relabelfrom;
 
 allow container_runtime_domain container_devpts_t:chr_file { relabelfrom rw_chr_file_perms setattr_chr_file_perms };
