Starting with Linux v5.12 CAP_SETFCAP is required to map UID 0/root.
This is due to kernel commit db2e718a4798 ("capabilities: require
CAP_SETFCAP to map uid 0"). In order to resolve this in the test
suite allow the cap_userns test domains to exercise the setfcap
capability.
Signed-off-by: Paul Moore <paul@xxxxxxxxxxxxxx>
---
policy/test_cap_userns.te | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/test_cap_userns.te b/policy/test_cap_userns.te
index ab74325..9683870 100644
--- a/policy/test_cap_userns.te
+++ b/policy/test_cap_userns.te
@@ -12,6 +12,9 @@ unconfined_runs_test(test_cap_userns_t)
typeattribute test_cap_userns_t testdomain;
typeattribute test_cap_userns_t capusernsdomain;
+# linux >= v5.12 needs setfcap to map UID 0
+allow capusernsdomain self:capability setfcap;
+
# This domain is allowed sys_admin on non-init userns for mount.
allow test_cap_userns_t self:cap_userns sys_admin;
