[PATCH testsuite 1/3] policy: make sure test_ibpkey_access_t can lock enough memory

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The ibv_create_cq() operation requires the caller to be able to lock
enough memory (RLIMIT_MEMLOCK). In some environments (such as RHEL-8)
the default resource limits may not be enough, requiring CAP_IPC_LOCK to
go above the limit. To make sure the test works also under stricter
resource limits, grant CAP_IPC_LOCK to test_ibpkey_access_t.

Reported-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
---
 policy/test_ibpkey.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/test_ibpkey.te b/policy/test_ibpkey.te
index 863ff16..2bfb701 100644
--- a/policy/test_ibpkey.te
+++ b/policy/test_ibpkey.te
@@ -10,6 +10,10 @@ type test_ibpkey_access_t;
 testsuite_domain_type(test_ibpkey_access_t)
 typeattribute test_ibpkey_access_t ibpkeydomain;
 
+# ibv_create_cq(3) locks some memory - make sure the domain can do that
+# even with strict resource limits.
+allow test_ibpkey_access_t self:capability ipc_lock;
+
 dev_rw_infiniband_dev(test_ibpkey_access_t)
 dev_rw_sysfs(test_ibpkey_access_t)
 
-- 
2.39.2




[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux