On Tue, Apr 27, 2021 at 4:33 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: > On Tue, Apr 27, 2021 at 12:34 AM Paul Moore <paul@xxxxxxxxxxxxxx> wrote: > > diff --git a/policy/test_cap_userns.te b/policy/test_cap_userns.te > > index ab74325..052afea 100644 > > --- a/policy/test_cap_userns.te > > +++ b/policy/test_cap_userns.te > > @@ -14,6 +14,7 @@ typeattribute test_cap_userns_t capusernsdomain; > > > > # This domain is allowed sys_admin on non-init userns for mount. > > allow test_cap_userns_t self:cap_userns sys_admin; > > +allow test_cap_userns_t self:capability setfcap; > > I think we should allow the capability to both domains (i.e. to > capusernsdomain). We are testing cap_userns::sys_admin here and if the > tested operation is not denied for a domain that has only > capability::setfcap, we want the test to fail. > > Also, a comment with a sentence explaining why CAP_SETFCAP is needed > would be nice :) Fair enough, v2 will be out shortly. -- paul moore www.paul-moore.com
