From a64255c8dc2d9dfe9fd77377192979001cb04a4c Mon Sep 17 00:00:00 2001
From: Lokesh Mandvekar <lsm5@redhat.com>
Date: Wed, 17 Sep 2025 08:48:05 -0400
Subject: [PATCH 1/3] TMT: run passt system tests from podman

Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
---
 plans/main.fmf                                | 12 ++++++++++
 test/main.fmf                                 | 23 ++++++++++++++++---
 ...odman-tests.sh => podman-rootful-tests.sh} |  0
 test/podman-rootless-tests.sh                 | 15 ++++++++++++
 4 files changed, 47 insertions(+), 3 deletions(-)
 rename test/{podman-tests.sh => podman-rootful-tests.sh} (100%)
 create mode 100644 test/podman-rootless-tests.sh

diff --git a/plans/main.fmf b/plans/main.fmf
index baa8b2fc..9b2c0705 100644
--- a/plans/main.fmf
+++ b/plans/main.fmf
@@ -18,3 +18,15 @@ prepare:
         fi
         dnf -y upgrade --allowerasing
       order: 20
+
+/basic_check:
+    discover+:
+        test: /test/basic_check
+
+/podman_rootful_system:
+    discover+:
+        test: /test/podman_rootful_system
+
+/podman_rootless_system:
+    discover+:
+        test: /test/podman_rootless_system
diff --git a/test/main.fmf b/test/main.fmf
index 4b186d5c..741aef12 100644
--- a/test/main.fmf
+++ b/test/main.fmf
@@ -1,9 +1,10 @@
 require:
     - attr
-    - bats
     - container-selinux
     - podman-tests
     - policycoreutils
+recommend:
+    - bats
 
 /basic_check:
     summary: Run basic checks
@@ -12,6 +13,22 @@ require:
         semodule -B
         rpm -Vqf /var/lib/selinux/*/active/modules/200/container
 
-/podman_system_test:
+/podman_rootful_system:
     summary: Run SELinux specific Podman system tests
-    test: bash ./podman-tests.sh
+    test: bash ./podman-rootful-tests.sh
+
+/podman_rootless_system:
+    summary: Run rootless Podman system tests
+    test: bash ./podman-rootless-tests.sh
+    require+:
+        - passt
+        - passt-selinux
+    environment:
+        ROOTLESS_USER: "fedora"
+    adjust:
+        - when: distro == centos-stream
+          environment+:
+            ROOTLESS_USER: "ec2-user"
+        - when: distro == rhel
+          environment+:
+            ROOTLESS_USER: "cloud-user"
diff --git a/test/podman-tests.sh b/test/podman-rootful-tests.sh
similarity index 100%
rename from test/podman-tests.sh
rename to test/podman-rootful-tests.sh
diff --git a/test/podman-rootless-tests.sh b/test/podman-rootless-tests.sh
new file mode 100644
index 00000000..591f3970
--- /dev/null
+++ b/test/podman-rootless-tests.sh
@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+
+set -exo pipefail
+
+cat /etc/redhat-release
+
+# Print versions of distro and installed packages
+rpm -q bats container-selinux passt passt-selinux podman podman-tests policycoreutils selinux-policy
+
+loginctl enable-linger "$ROOTLESS_USER"
+
+# Run podman system tests
+su - "$ROOTLESS_USER" -c "bats /usr/share/podman/test/system/410-selinux.bats"
+su - "$ROOTLESS_USER" -c "bats /usr/share/podman/test/system/500-networking.bats"
+su - "$ROOTLESS_USER" -c bats "/usr/share/podman/test/system/505-networking-pasta.bats"

From 5a5c9d79fed2ef55aae8c2414db61830e83286fa Mon Sep 17 00:00:00 2001
From: Lokesh Mandvekar <lsm5@redhat.com>
Date: Wed, 17 Sep 2025 10:24:21 -0400
Subject: [PATCH 2/3] TMT: additional prepare steps for consistency

This should make local and testing-farm CLI runs rather consistent with
Packit runs by enforcing the main package installation.

Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
---
 plans/main.fmf | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/plans/main.fmf b/plans/main.fmf
index 9b2c0705..87a1014e 100644
--- a/plans/main.fmf
+++ b/plans/main.fmf
@@ -18,6 +18,14 @@ prepare:
         fi
         dnf -y upgrade --allowerasing
       order: 20
+    - name: Disable installing everything from srpm
+      how: install
+      exclude:
+        - ".*"
+    - name: Install the main package
+      how: install
+      package:
+        - container-selinux
 
 /basic_check:
     discover+:

From 3fbc303259eadd7b169763f5cf1eb2e23a4faf71 Mon Sep 17 00:00:00 2001
From: Stefano Brivio <sbrivio@redhat.com>
Date: Wed, 17 Sep 2025 16:33:18 +0200
Subject: [PATCH 3/3] Revert "container: label /run/user/*/crun as
 container_var_run_t"

This reverts commit ae3532b16fea ("container: label /run/user/*/crun
as container_var_run_t") as it breaks basic Podman operation with
pasta(1) (default rootless back-end):

  Error: setting up Pasta: pasta failed with exit code 1:
  Couldn't open PID file /run/user/1000/containers/networks/rootless-netns/rootless-netns-conn.pid: Permission denied

A solution is being worked on, but it's not quite ready yet, see:

  https://github.com/containers/container-selinux/pull/405

in the meantime, revert this to avoid widespread breakage for users.

Link: https://github.com/containers/container-selinux/pull/405
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
 container.te | 1 -
 1 file changed, 1 deletion(-)

diff --git a/container.te b/container.te
index fb464f98..63ae6bfe 100644
--- a/container.te
+++ b/container.te
@@ -322,7 +322,6 @@ manage_sock_files_pattern(container_runtime_domain, container_var_run_t, contain
 manage_lnk_files_pattern(container_runtime_domain, container_var_run_t, container_var_run_t)
 files_pid_filetrans(container_runtime_domain, container_var_run_t, { dir file lnk_file sock_file })
 files_tmp_filetrans(container_runtime_domain, container_var_run_t, { dir file lnk_file sock_file })
-userdom_user_tmp_filetrans(container_runtime_domain, container_var_run_t, { dir file lnk_file sock_file })
 allow container_runtime_domain container_var_run_t:dir_file_class_set relabelfrom;
 
 allow container_runtime_domain container_devpts_t:chr_file { relabelfrom rw_chr_file_perms setattr_chr_file_perms };