A quick heads-up that the selinux-testsuite appears broken on current
Rawhide, presumably due to a recent addition of the user_namespace
object class. I believe a small tweak to the selinux-testsuite policy
for the cap_userns test should resolve the problem.
% (cd selinux-testsuite; git rev-parse HEAD)
77352e748f006c343d602e4be03ae0d2cfcca831
% rpm -q selinux-policy
selinux-policy-38.2-1.fc38.noarch
% rpm -q --changelog selinux-policy
* Tue Dec 06 2022 Zdenek Pytela <zpytela@xxxxxxxxxx> - 38.2-1
...
- Add the user_namespace security class
...
% tail -f /var/log/audit/audit.log
...
type=AVC msg=audit(1670612746.925:1138): avc: denied { create } for
pid=11865 comm="userns_child_ex"
scontext=unconfined_u:unconfined_r:test_cap_userns_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:test_cap_userns_t:s0-s0:c0.c1023
tclass=user_namespace permissive=0
...
--
paul-moore.com
