On Tue, 2023-02-28 at 11:51 -0500, Paul Moore wrote: > On Tue, Feb 28, 2023 at 9:13 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: > > > > The ibv_create_cq() operation requires the caller to be able to lock > > enough memory (RLIMIT_MEMLOCK). In some environments (such as RHEL-8) > > the default resource limits may not be enough, requiring CAP_IPC_LOCK to > > go above the limit. To make sure the test works also under stricter > > resource limits, grant CAP_IPC_LOCK to test_ibpkey_access_t. > > > > Reported-by: Mimi Zohar <zohar@xxxxxxxxxxxxx> > > Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx> > > --- > > policy/test_ibpkey.te | 2 ++ > > 1 file changed, 2 insertions(+) > > > > diff --git a/policy/test_ibpkey.te b/policy/test_ibpkey.te > > index 863ff16..97f0c3c 100644 > > --- a/policy/test_ibpkey.te > > +++ b/policy/test_ibpkey.te > > @@ -10,6 +10,8 @@ type test_ibpkey_access_t; > > testsuite_domain_type(test_ibpkey_access_t) > > typeattribute test_ibpkey_access_t ibpkeydomain; > > > > +allow test_ibpkey_access_t self:capability ipc_lock; > > FWIW, I brought this up back in 2019 and have been carrying a local > selinux-testsuite patch for this ever since (it's the only way to get > a clean run of the IB tests). Confirmed, with this change the SELinux infiniband tests are now working on stable linux-4.19.y. > While it can be fixed in the > selinux-testsuite policy, I believe this is a more general problem and > should probably be fixed in refpol. > > https://lore.kernel.org/selinux/CAHC9VhTuYi+W0RukEV4WNrP5X_AFeouaWMsdbgxSL1v04mouWw@xxxxxxxxxxxxxx/ > > > dev_rw_infiniband_dev(test_ibpkey_access_t) > > dev_rw_sysfs(test_ibpkey_access_t) -- thanks, Mimi
