On Fri, Dec 9, 2022 at 8:16 PM Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
> A quick heads-up that the selinux-testsuite appears broken on current
> Rawhide, presumably due to a recent addition of the user_namespace
> object class. I believe a small tweak to the selinux-testsuite policy
> for the cap_userns test should resolve the problem.
>
> % (cd selinux-testsuite; git rev-parse HEAD)
> 77352e748f006c343d602e4be03ae0d2cfcca831
> % rpm -q selinux-policy
> selinux-policy-38.2-1.fc38.noarch
> % rpm -q --changelog selinux-policy
> * Tue Dec 06 2022 Zdenek Pytela <zpytela@xxxxxxxxxx> - 38.2-1
> ...
> - Add the user_namespace security class
> ...
> % tail -f /var/log/audit/audit.log
> ...
> type=AVC msg=audit(1670612746.925:1138): avc: denied { create } for
> pid=11865 comm="userns_child_ex"
> scontext=unconfined_u:unconfined_r:test_cap_userns_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:test_cap_userns_t:s0-s0:c0.c1023
> tclass=user_namespace permissive=0
> ...
And I have already posted a patch to fix this shortly before you sent
this email :)
https://lore.kernel.org/selinux/20221209130220.451845-1-omosnace@xxxxxxxxxx/
I plan to apply it later today.
--
Ondrej Mosnacek
Senior Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.
