containers · lsm5 · Sep 17, 2025 · Sep 17, 2025 · Sep 17, 2025 · Sep 17, 2025
diff --git a/container.te b/container.te
@@ -322,7 +322,6 @@ manage_sock_files_pattern(container_runtime_domain, container_var_run_t, contain
 manage_lnk_files_pattern(container_runtime_domain, container_var_run_t, container_var_run_t)
 files_pid_filetrans(container_runtime_domain, container_var_run_t, { dir file lnk_file sock_file })
 files_tmp_filetrans(container_runtime_domain, container_var_run_t, { dir file lnk_file sock_file })
-userdom_user_tmp_filetrans(container_runtime_domain, container_var_run_t, { dir file lnk_file sock_file })
 allow container_runtime_domain container_var_run_t:dir_file_class_set relabelfrom;
 
 allow container_runtime_domain container_devpts_t:chr_file { relabelfrom rw_chr_file_perms setattr_chr_file_perms };

diff --git a/plans/main.fmf b/plans/main.fmf
@@ -18,3 +18,23 @@ prepare:
         fi
         dnf -y upgrade --allowerasing
       order: 20
+    - name: Disable installing everything from srpm
+      how: install
+      exclude:
+        - ".*"
+    - name: Install the main package
+      how: install
+      package:
+        - container-selinux
+
+/basic_check:
+    discover+:
+        test: /test/basic_check
+
+/podman_rootful_system:
+    discover+:
+        test: /test/podman_rootful_system
+
+/podman_rootless_system:
+    discover+:
+        test: /test/podman_rootless_system
diff --git a/test/main.fmf b/test/main.fmf
@@ -1,9 +1,10 @@
 require:
     - attr
-    - bats
     - container-selinux
     - podman-tests
     - policycoreutils
+recommend:
+    - bats
 
 /basic_check:
     summary: Run basic checks
@@ -12,6 +13,22 @@ require:
         semodule -B
         rpm -Vqf /var/lib/selinux/*/active/modules/200/container
 
-/podman_system_test:
+/podman_rootful_system:
     summary: Run SELinux specific Podman system tests
-    test: bash ./podman-tests.sh
+    test: bash ./podman-rootful-tests.sh
+
+/podman_rootless_system:
+    summary: Run rootless Podman system tests
+    test: bash ./podman-rootless-tests.sh
+    require+:
+        - passt
+        - passt-selinux
+    environment:
+        ROOTLESS_USER: "fedora"
+    adjust:
+        - when: distro == centos-stream
+          environment+:
+            ROOTLESS_USER: "ec2-user"
+        - when: distro == rhel
+          environment+:
+            ROOTLESS_USER: "cloud-user"
diff --git a/test/podman-tests.sh → test/podman-rootful-tests.sh b/test/podman-tests.sh → test/podman-rootful-tests.sh
diff --git a/test/podman-rootless-tests.sh b/test/podman-rootless-tests.sh
@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+
+set -exo pipefail
+
+cat /etc/redhat-release
+
+# Print versions of distro and installed packages
+rpm -q bats container-selinux passt passt-selinux podman podman-tests policycoreutils selinux-policy
+
+loginctl enable-linger "$ROOTLESS_USER"
+
+# Run podman system tests
+su - "$ROOTLESS_USER" -c "bats /usr/share/podman/test/system/410-selinux.bats"
+su - "$ROOTLESS_USER" -c "bats /usr/share/podman/test/system/500-networking.bats"
+su - "$ROOTLESS_USER" -c bats "/usr/share/podman/test/system/505-networking-pasta.bats"
-su - "$ROOTLESS_USER" -c bats "/usr/share/podman/test/system/505-networking-pasta.bats"
+su - "$ROOTLESS_USER" -c "bats /usr/share/podman/test/system/505-networking-pasta.bats"
-su - "$ROOTLESS_USER" -c bats "/usr/share/podman/test/system/505-networking-pasta.bats"
+su - "$ROOTLESS_USER" -c "bats /usr/share/podman/test/system/505-networking-pasta.bats"