userfaultfd(2) requires the caller to have CAP_SYS_PTRACE if the vm.unprivileged_userfaultfd sysctl is set to 0, so grant all userfaultfd test domains the corresponding SELinux permission, otherwise the tests will fail when the sysctl is set to 0 (e.g. Fedora 34+). While there, also remove a commented-out rule that doesn't need to be there. Fixes: 2ea007924363 ("selinux-testsuite: Add userfaultfd test") Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx> --- policy/test_userfaultfd.te | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/policy/test_userfaultfd.te b/policy/test_userfaultfd.te index e29723d..f15ef89 100644 --- a/policy/test_userfaultfd.te +++ b/policy/test_userfaultfd.te @@ -44,8 +44,10 @@ userfaultfd_domain_type(test_noioctl_uffd_t) # Domain for process that cannot read from userfaultfd userfaultfd_domain_type(test_noread_uffd_t) +# userfaultfd(2) requires CAP_SYS_PTRACE +allow test_uffd_domain self:capability { sys_ptrace }; + # Allow all of these domains to be executed -#allow test_uffd_domain test_file_t:file { entrypoint map execute }; miscfiles_domain_entry_test_files(test_uffd_domain) unconfined_runs_test(test_uffd_domain) userdom_sysadm_entry_spec_domtrans_to(test_uffd_domain) -- 2.29.2