libselinux probes for the presence of selinuxfs on /sys/fs/selinux via statfs(2); this is required for any operations that involve selinuxfs. Fedora policy allows this to all domains in its base policy but refpolicy and Debian do not, so explicitly allow it to allow the tests to work. Otherwise various programs think SELinux is disabled and abort. Signed-off-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx> --- policy/test_global.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/test_global.te b/policy/test_global.te index c9520ec..d19b4be 100644 --- a/policy/test_global.te +++ b/policy/test_global.te @@ -83,6 +83,7 @@ domain_use_interactive_fds(testdomain) seutil_read_config(testdomain) # can getsecurity +selinux_getattr_fs(testdomain) selinux_validate_context(testdomain) selinux_compute_access_vector(testdomain) selinux_compute_create_context(testdomain) -- 2.23.1
