On Wed, Feb 15, 2023 at 9:47 PM Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> wrote: > > On Wed, 15 Feb 2023 14:18:07 +0100 Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: > > > 1. First determine if CAP_SET[UG]ID is required and only then call > > ns_capable_setid(), to avoid bogus LSM (SELinux) denials. > > Can we please have more details on the selinux failures? Under what > circumstances? What is the end-user impact? > > Because a fix for "bogus LSM (SELinux) denials" sounds like something > which should be backported into earlier kernels, but there simply isn't > sufficient information here for others to decide on this. Fair point. I will send a v2 with a more detailed explanation. -- Ondrej Mosnacek Senior Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.
