On Wed, 15 Feb 2023 14:18:07 +0100 Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: > 1. First determine if CAP_SET[UG]ID is required and only then call > ns_capable_setid(), to avoid bogus LSM (SELinux) denials. Can we please have more details on the selinux failures? Under what circumstances? What is the end-user impact? Because a fix for "bogus LSM (SELinux) denials" sounds like something which should be backported into earlier kernels, but there simply isn't sufficient information here for others to decide on this.
