Re: BUG: selinux-testsuite failures in tests/cap_userns

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Dec 9, 2022 at 8:16 PM Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
> A quick heads-up that the selinux-testsuite appears broken on current
> Rawhide, presumably due to a recent addition of the user_namespace
> object class.  I believe a small tweak to the selinux-testsuite policy
> for the cap_userns test should resolve the problem.
>
> % (cd selinux-testsuite; git rev-parse HEAD)
> 77352e748f006c343d602e4be03ae0d2cfcca831
> % rpm -q selinux-policy
> selinux-policy-38.2-1.fc38.noarch
> % rpm -q --changelog selinux-policy
> * Tue Dec 06 2022 Zdenek Pytela <zpytela@xxxxxxxxxx> - 38.2-1
> ...
> - Add the user_namespace security class
> ...
> % tail -f /var/log/audit/audit.log
> ...
> type=AVC msg=audit(1670612746.925:1138): avc:  denied  { create } for
>   pid=11865 comm="userns_child_ex"
>   scontext=unconfined_u:unconfined_r:test_cap_userns_t:s0-s0:c0.c1023
>   tcontext=unconfined_u:unconfined_r:test_cap_userns_t:s0-s0:c0.c1023
>   tclass=user_namespace permissive=0
> ...

And I have already posted a patch to fix this shortly before you sent
this email :)

https://lore.kernel.org/selinux/20221209130220.451845-1-omosnace@xxxxxxxxxx/

I plan to apply it later today.

-- 
Ondrej Mosnacek
Senior Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.




[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux