The cap_userns test's helper program needs this new permission for its operation - detect the support of it and conditionally add the necessary rule. Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx> --- policy/Makefile | 4 ++++ policy/test_cap_userns.te | 1 + policy/test_global.te | 4 ++++ 3 files changed, 9 insertions(+) diff --git a/policy/Makefile b/policy/Makefile index 403802b..f18e15d 100644 --- a/policy/Makefile +++ b/policy/Makefile @@ -166,6 +166,10 @@ ifeq ($(shell grep -q anon_inode $(POLDEV)/include/support/all_perms.spt && echo TARGETS += test_secretmem.te endif +ifeq ($(shell grep -q user_namespace $(POLDEV)/include/support/all_perms.spt && echo true),true) +export M4PARAM += -Duser_namespace_defined +endif + all: build expand_check: diff --git a/policy/test_cap_userns.te b/policy/test_cap_userns.te index 3e68feb..6f44487 100644 --- a/policy/test_cap_userns.te +++ b/policy/test_cap_userns.te @@ -19,5 +19,6 @@ testsuite_domain_type(test_no_cap_userns_t) typeattribute test_no_cap_userns_t capusernsdomain; # Rules common to both domains. +allow_userns_create(capusernsdomain) # linux >= v5.12 needs setfcap to map UID 0 allow capusernsdomain self:capability setfcap; diff --git a/policy/test_global.te b/policy/test_global.te index 1b20cbc..e95102a 100644 --- a/policy/test_global.te +++ b/policy/test_global.te @@ -171,3 +171,7 @@ ifdef(`lockdown_defined', `allow $1 self:lockdown integrity;') define(`allow_lockdown_confidentiality', ifdef(`lockdown_defined', `allow $1 self:lockdown confidentiality;') ) + +define(`allow_userns_create', +ifdef(`user_namespace_defined', `allow $1 self:user_namespace create;') +) -- 2.38.1