On Tue, Feb 28, 2023 at 6:01 PM Paul Moore <paul@xxxxxxxxxxxxxx> wrote: > On Tue, Feb 28, 2023 at 9:13 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: > > > > ibv_get_device_list(3) first tries to get the device list via netlink > > and if that fails it falls back to getting it from sysfs. Currently the > > policy denies getting it from netlink, generating some denials. Allow > > test_ibpkey_access_t the necessary permissions so it can do it the > > preferred way and doesn't generate audit AVC noise. > > > > Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx> > > --- > > policy/test_ibpkey.te | 1 + > > 1 file changed, 1 insertion(+) > > Similar to the other policy issue, it seems like this is a general > problem and not specifically a selinux-testsuite issue, right? If > that is the case should we fix this in refpol? I think it's okay to > put a temporary fix in the test suite, but we should also push to fix > this in refpol. Basically the same as I said in the first paragraph of my reply under patch 1 applies here, just in this case we are talking about users of ibv_get_device_list(3) instead of ibv_create_cq(3). -- Ondrej Mosnacek Senior Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.
