Hello all, While tracking down a test failure before sending the SELinux PR to Linus for v5.12 I noticed that the latest Fedora Rawhide policy update breaks the selinux-testsuite, specifically the lockdown test. While I haven't tracked it all the way down to the root cause, I suspect the additional lockdown permissions added to the policy may be the problem. Changelog snippet below: * Thu Feb 11 2021 Zdenek Pytela <zpytela@xxxxxxxxxx> - 3.14.8-1 - Bump version as Fedora 34 has been branched off rawhide - Allow xdm watch its private lib dirs, /etc, /usr - Allow systemd-importd create /run/systemd/machines.lock file - Allow rhsmcertd_t read kpatch lib files - Add integrity lockdown permission into dev_read_raw_memory() - Add confidentiality lockdown permission into fs_rw_tracefs_files() - Allow gpsd read and write ptp4l_t shared memory. - Allow colord watch its private lib files and /usr - Allow init watch_reads mount PID files - Allow IPsec and Certmonger to use opencryptoki services FWIW, reverting to selinux-policy-3.14.7-18 resolves the problem. -- paul moore www.paul-moore.com
