On Wed, Mar 1, 2023 at 10:25 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: > On Tue, Feb 28, 2023 at 6:01 PM Paul Moore <paul@xxxxxxxxxxxxxx> wrote: > > On Tue, Feb 28, 2023 at 9:13 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: > > > > > > ibv_get_device_list(3) first tries to get the device list via netlink > > > and if that fails it falls back to getting it from sysfs. Currently the > > > policy denies getting it from netlink, generating some denials. Allow > > > test_ibpkey_access_t the necessary permissions so it can do it the > > > preferred way and doesn't generate audit AVC noise. > > > > > > Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx> > > > --- > > > policy/test_ibpkey.te | 1 + > > > 1 file changed, 1 insertion(+) > > > > Similar to the other policy issue, it seems like this is a general > > problem and not specifically a selinux-testsuite issue, right? If > > that is the case should we fix this in refpol? I think it's okay to > > put a temporary fix in the test suite, but we should also push to fix > > this in refpol. > > Basically the same as I said in the first paragraph of my reply under > patch 1 applies here, just in this case we are talking about users of > ibv_get_device_list(3) instead of ibv_create_cq(3). Yeah, let's just tackle this in the other thread, at this point it's a bit silly to duplicate the discussion. -- paul-moore.com