userfaultfd(2) requires the caller to have CAP_SYS_PTRACE if the
vm.unprivileged_userfaultfd sysctl is set to 0, so grant all userfaultfd
test domains the corresponding SELinux permission, otherwise the tests
will fail when the sysctl is set to 0 (e.g. Fedora 34+).
While there, also remove a commented-out rule that doesn't need to be
there.
Fixes: 2ea007924363 ("selinux-testsuite: Add userfaultfd test")
Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
---
policy/test_userfaultfd.te | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/policy/test_userfaultfd.te b/policy/test_userfaultfd.te
index e29723d..f15ef89 100644
--- a/policy/test_userfaultfd.te
+++ b/policy/test_userfaultfd.te
@@ -44,8 +44,10 @@ userfaultfd_domain_type(test_noioctl_uffd_t)
# Domain for process that cannot read from userfaultfd
userfaultfd_domain_type(test_noread_uffd_t)
+# userfaultfd(2) requires CAP_SYS_PTRACE
+allow test_uffd_domain self:capability { sys_ptrace };
+
# Allow all of these domains to be executed
-#allow test_uffd_domain test_file_t:file { entrypoint map execute };
miscfiles_domain_entry_test_files(test_uffd_domain)
unconfined_runs_test(test_uffd_domain)
userdom_sysadm_entry_spec_domtrans_to(test_uffd_domain)
--
2.29.2
