On Fri, Dec 9, 2022 at 2:02 PM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: > > The cap_userns test's helper program needs this new permission for its > operation - detect the support of it and conditionally add the necessary > rule. > > Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx> > --- > policy/Makefile | 4 ++++ > policy/test_cap_userns.te | 1 + > policy/test_global.te | 4 ++++ > 3 files changed, 9 insertions(+) > > diff --git a/policy/Makefile b/policy/Makefile > index 403802b..f18e15d 100644 > --- a/policy/Makefile > +++ b/policy/Makefile > @@ -166,6 +166,10 @@ ifeq ($(shell grep -q anon_inode $(POLDEV)/include/support/all_perms.spt && echo > TARGETS += test_secretmem.te > endif > > +ifeq ($(shell grep -q user_namespace $(POLDEV)/include/support/all_perms.spt && echo true),true) > +export M4PARAM += -Duser_namespace_defined > +endif > + > all: build > > expand_check: > diff --git a/policy/test_cap_userns.te b/policy/test_cap_userns.te > index 3e68feb..6f44487 100644 > --- a/policy/test_cap_userns.te > +++ b/policy/test_cap_userns.te > @@ -19,5 +19,6 @@ testsuite_domain_type(test_no_cap_userns_t) > typeattribute test_no_cap_userns_t capusernsdomain; > > # Rules common to both domains. > +allow_userns_create(capusernsdomain) > # linux >= v5.12 needs setfcap to map UID 0 > allow capusernsdomain self:capability setfcap; > diff --git a/policy/test_global.te b/policy/test_global.te > index 1b20cbc..e95102a 100644 > --- a/policy/test_global.te > +++ b/policy/test_global.te > @@ -171,3 +171,7 @@ ifdef(`lockdown_defined', `allow $1 self:lockdown integrity;') > define(`allow_lockdown_confidentiality', > ifdef(`lockdown_defined', `allow $1 self:lockdown confidentiality;') > ) > + > +define(`allow_userns_create', > +ifdef(`user_namespace_defined', `allow $1 self:user_namespace create;') > +) > -- > 2.38.1 > This patch is now applied: https://github.com/SELinuxProject/selinux-testsuite/commit/3389abeaa3bb6fdf23a0f2d8b1550fae69f9c52e -- Ondrej Mosnacek Senior Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.