Starting with Linux v5.12 CAP_SETFCAP is required to map UID 0/root.
This is due to kernel commit db2e718a4798 ("capabilities: require
CAP_SETFCAP to map uid 0"). In order to resolve this in the test
suite allow the test_cap_userns_t domain to exercise the setfcap
capability.
Signed-off-by: Paul Moore <paul@xxxxxxxxxxxxxx>
---
policy/test_cap_userns.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/test_cap_userns.te b/policy/test_cap_userns.te
index ab74325..052afea 100644
--- a/policy/test_cap_userns.te
+++ b/policy/test_cap_userns.te
@@ -14,6 +14,7 @@ typeattribute test_cap_userns_t capusernsdomain;
# This domain is allowed sys_admin on non-init userns for mount.
allow test_cap_userns_t self:cap_userns sys_admin;
+allow test_cap_userns_t self:capability setfcap;
# Domain for process that is not allowed non-init userns capabilities
type test_no_cap_userns_t;
