The ibv_create_cq() operation requires the caller to be able to lock enough memory (RLIMIT_MEMLOCK). In some environments (such as RHEL-8) the default resource limits may not be enough, requiring CAP_IPC_LOCK to go above the limit. To make sure the test works also under stricter resource limits, grant CAP_IPC_LOCK to test_ibpkey_access_t. Reported-by: Mimi Zohar <zohar@xxxxxxxxxxxxx> Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx> --- policy/test_ibpkey.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/test_ibpkey.te b/policy/test_ibpkey.te index 863ff16..97f0c3c 100644 --- a/policy/test_ibpkey.te +++ b/policy/test_ibpkey.te @@ -10,6 +10,8 @@ type test_ibpkey_access_t; testsuite_domain_type(test_ibpkey_access_t) typeattribute test_ibpkey_access_t ibpkeydomain; +allow test_ibpkey_access_t self:capability ipc_lock; + dev_rw_infiniband_dev(test_ibpkey_access_t) dev_rw_sysfs(test_ibpkey_access_t) -- 2.39.2
