On Wed, Aug 21, 2024 at 8:56 PM Thiébaud Weksteen <tweek@xxxxxxxxxx> wrote: > > On Wed, Aug 21, 2024 at 5:54 AM Paul Moore <paul@xxxxxxxxxxxxxx> wrote: > > > > On Tue, Aug 20, 2024 at 2:02 PM Stephen Smalley > > <stephen.smalley.work@xxxxxxxxx> wrote: > > > > Thank you for reviving this patch. > > Do you have a corresponding userspace patch? And for extra credit, a > > selinux-testsuite patch? > > > > Thank you for the quick response and initial feedback. I've just sent > the libsepol patches for userland on this mailing list. > For selinux-testsuite, an issue I came across while testing is that > the policy capabilities cannot be updated (that is, only the > capabilities from the original host policy are active). I am not sure > if I got that right or if there is any obvious solution (except > toggling on the new capability in Fedora). > I'm still hoping to get the extra credits by: updating the selinux > notebook documentation as well as updating setools (for sesearch > support). :) I will send pull requests if these patches get accepted. With your userspace patches, can't you just do this: $ cat netlink_xperm.cil (policycap netlink_xperm) $ sudo semodule -i netlink_xperm.cil If so, then you can add that along with corresponding allowxperm rules to the test policy to exercise this.