On Sun, Jan 24, 2021 at 11:57 PM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote:
>
> userfaultfd(2) requires the caller to have CAP_SYS_PTRACE if the
> vm.unprivileged_userfaultfd sysctl is set to 0, so grant all userfaultfd
> test domains the corresponding SELinux permission, otherwise the tests
> will fail when the sysctl is set to 0 (e.g. Fedora 34+).
>
> While there, also remove a commented-out rule that doesn't need to be
> there.
>
> Fixes: 2ea007924363 ("selinux-testsuite: Add userfaultfd test")
> Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
Reviewed-by: Lokesh Gidra <lokeshgidra@xxxxxxxxxx>
Sorry for overlooking this earlier.
> ---
> policy/test_userfaultfd.te | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/policy/test_userfaultfd.te b/policy/test_userfaultfd.te
> index e29723d..f15ef89 100644
> --- a/policy/test_userfaultfd.te
> +++ b/policy/test_userfaultfd.te
> @@ -44,8 +44,10 @@ userfaultfd_domain_type(test_noioctl_uffd_t)
> # Domain for process that cannot read from userfaultfd
> userfaultfd_domain_type(test_noread_uffd_t)
>
> +# userfaultfd(2) requires CAP_SYS_PTRACE
> +allow test_uffd_domain self:capability { sys_ptrace };
> +
> # Allow all of these domains to be executed
> -#allow test_uffd_domain test_file_t:file { entrypoint map execute };
> miscfiles_domain_entry_test_files(test_uffd_domain)
> unconfined_runs_test(test_uffd_domain)
> userdom_sysadm_entry_spec_domtrans_to(test_uffd_domain)
> --
> 2.29.2
>
