On Tue, Apr 6, 2021 at 7:33 PM Zbigniew Jędrzejewski-Szmek <zbyszek@xxxxxxxxx> wrote: > On Tue, Apr 06, 2021 at 06:57:27PM +0200, Ondrej Mosnacek wrote: > > Hi all, > > > > Kernel 5.12 added support to SELinux for controlling access to the > > userfaultfd interface [1][2] and we'd like to implement this in > > Fedora's selinux-policy. However, once we add the corresponding class > > to the policy, all SELinux domains for which we don't add the > > appropriate rules will have any usage of userfaultfd(2) denied. > > https://codesearch.debian.net/search?q=userfaultfd(&literal=1 > lists a few candidates… Thanks, that's a nice tool! Filtering out false-positives, the kernel itself, and user programs that would normally run under unconfined_t, packages dead in Fedora, ..., the only relevant one seems to be 'criu' (already mentioned in this thread). Strange that it didn't find QEMU... maybe needs a more generic search... -- Ondrej Mosnacek Software Engineer, Linux Security - SELinux kernel Red Hat, Inc. _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure