Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> writes: > On Wed, 15 Feb 2023 14:18:07 +0100 Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: > >> 1. First determine if CAP_SET[UG]ID is required and only then call >> ns_capable_setid(), to avoid bogus LSM (SELinux) denials. > > Can we please have more details on the selinux failures? Under what > circumstances? What is the end-user impact? It is puzzling the structure with having the capability check first dates to 2.1.104 (when a hand coded test for root was replaced with capable(CAP_SETID). Which means the basic structure and logic of the code is even older than that. Eric
