On Tue, Feb 28, 2023 at 9:13 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: > > ibv_get_device_list(3) first tries to get the device list via netlink > and if that fails it falls back to getting it from sysfs. Currently the > policy denies getting it from netlink, generating some denials. Allow > test_ibpkey_access_t the necessary permissions so it can do it the > preferred way and doesn't generate audit AVC noise. > > Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx> > --- > policy/test_ibpkey.te | 1 + > 1 file changed, 1 insertion(+) Similar to the other policy issue, it seems like this is a general problem and not specifically a selinux-testsuite issue, right? If that is the case should we fix this in refpol? I think it's okay to put a temporary fix in the test suite, but we should also push to fix this in refpol. > diff --git a/policy/test_ibpkey.te b/policy/test_ibpkey.te > index 97f0c3c..6835897 100644 > --- a/policy/test_ibpkey.te > +++ b/policy/test_ibpkey.te > @@ -11,6 +11,7 @@ testsuite_domain_type(test_ibpkey_access_t) > typeattribute test_ibpkey_access_t ibpkeydomain; > > allow test_ibpkey_access_t self:capability ipc_lock; > +allow test_ibpkey_access_t self:netlink_rdma_socket create_socket_perms; > > dev_rw_infiniband_dev(test_ibpkey_access_t) > dev_rw_sysfs(test_ibpkey_access_t) > -- > 2.39.2 -- paul-moore.com
