On Wed, Apr 28, 2021 at 4:11 PM Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
> On Wed, Apr 28, 2021 at 6:54 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote:
> > On Tue, Apr 27, 2021 at 10:15 PM Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
> > > Starting with Linux v5.12 CAP_SETFCAP is required to map UID 0/root.
> > > This is due to kernel commit db2e718a4798 ("capabilities: require
> > > CAP_SETFCAP to map uid 0"). In order to resolve this in the test
> > > suite allow the cap_userns test domains to exercise the setfcap
> > > capability.
> > >
> > > Signed-off-by: Paul Moore <paul@xxxxxxxxxxxxxx>
> > > ---
> > > policy/test_cap_userns.te | 3 +++
> > > 1 file changed, 3 insertions(+)
> > >
> > > diff --git a/policy/test_cap_userns.te b/policy/test_cap_userns.te
> > > index ab74325..9683870 100644
> > > --- a/policy/test_cap_userns.te
> > > +++ b/policy/test_cap_userns.te
> > > @@ -12,6 +12,9 @@ unconfined_runs_test(test_cap_userns_t)
> > > typeattribute test_cap_userns_t testdomain;
> > > typeattribute test_cap_userns_t capusernsdomain;
> > >
> > > +# linux >= v5.12 needs setfcap to map UID 0
> > > +allow capusernsdomain self:capability setfcap;
> > > +
> > > # This domain is allowed sys_admin on non-init userns for mount.
> > > allow test_cap_userns_t self:cap_userns sys_admin;
> >
> > Thanks! Would you mind if I move the new rule to the end of the file
> > (where other rules for the attribute live) and tweak the subject line?
> > The final commit is available for preview here:
> > https://github.com/WOnder93/selinux-testsuite/commit/fd4254f09316f6db0410a9187cb8866571f109b5
>
> Sure, do whatever you think is best; you can even replace my little
> patch with another that you like better. My main concern is just
> making sure the test suite is fixed and working :)
Ok, I have just pushed it:
https://github.com/SELinuxProject/selinux-testsuite/commit/fd4254f09316f6db0410a9187cb8866571f109b5
--
Ondrej Mosnacek
Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.
