What were you trying to do that didn't work?

The update from systemd-256-18.el10.x86_64 to systemd-257-2.el10.x86_64 broke the SELinux context for units which use DynamicUser=. This was spotted in Cockpit's CentOS 10 image update. 257 isn't yet in the RHEL 10 composes, but as it passed gating it will soon.

/tmp and /var/tmp now have context init_var_run_t instead of tmp_t. This causes test failures which look like this:

  File "/usr/lib/python3.12/site-packages/cockpit/beiboot.py", line 296, in __init__
    self.tmpdir = tempfile.TemporaryDirectory()
[...]
  File "/usr/lib64/python3.12/tempfile.py", line 223, in _get_default_tempdir
    raise FileNotFoundError(_errno.ENOENT,
FileNotFoundError: [Errno 2] No usable temporary directory found in ['/tmp', '/var/tmp', '/usr/tmp', '/']

What is the impact of this issue to you?

Breaks cockpit's web server.

Please provide the package NVR for which the bug is seen:

systemd-257-2.el10.x86_64

How reproducible is this bug?

Always

Steps to reproduce

The easiest way to reproduce is with a dynamic

systemd-run --wait --pipe -p DynamicUser=yes -p User=test-user ls -ldZ /tmp /var/tmp

(Of course it also happens with a static test.service.)

Expected results

drwxrwxrwt. 2 root root system_u:object_r:tmp_t:s0 6 Jan  7 04:12 /tmp
drwxrwxrwt. 2 root root system_u:object_r:tmp_t:s0 6 Jan  7 04:12 /var/tmp

Actual results

drwxrwxrwt. 2 root root system_u:object_r:init_var_run_t:s0 40 Jan  7 04:12 /tmp
drwxrwxrwt. 2 root root system_u:object_r:init_var_run_t:s0 40 Jan  7 04:12 /var/tmp

The context is correct when merely using PrivateTmp instead of DynamicUser:

systemd-run --wait --pipe -p PrivateTmp=yes ls -ldZ /tmp /var/tmp