* [PATCH 2] testsuite: fix cap_userns for kernels >= v5.12
@ 2021-04-27 20:15 Paul Moore
2021-04-28 10:54 ` Ondrej Mosnacek
0 siblings, 1 reply; 4+ messages in thread
From: Paul Moore @ 2021-04-27 20:15 UTC (permalink / raw)
To: selinux
Starting with Linux v5.12 CAP_SETFCAP is required to map UID 0/root.
This is due to kernel commit db2e718a4798 ("capabilities: require
CAP_SETFCAP to map uid 0"). In order to resolve this in the test
suite allow the cap_userns test domains to exercise the setfcap
capability.
Signed-off-by: Paul Moore <paul@paul-moore.com>
---
policy/test_cap_userns.te | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/test_cap_userns.te b/policy/test_cap_userns.te
index ab74325..9683870 100644
--- a/policy/test_cap_userns.te
+++ b/policy/test_cap_userns.te
@@ -12,6 +12,9 @@ unconfined_runs_test(test_cap_userns_t)
typeattribute test_cap_userns_t testdomain;
typeattribute test_cap_userns_t capusernsdomain;
+# linux >= v5.12 needs setfcap to map UID 0
+allow capusernsdomain self:capability setfcap;
+
# This domain is allowed sys_admin on non-init userns for mount.
allow test_cap_userns_t self:cap_userns sys_admin;
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 2] testsuite: fix cap_userns for kernels >= v5.12
2021-04-27 20:15 [PATCH 2] testsuite: fix cap_userns for kernels >= v5.12 Paul Moore
@ 2021-04-28 10:54 ` Ondrej Mosnacek
2021-04-28 14:11 ` Paul Moore
0 siblings, 1 reply; 4+ messages in thread
From: Ondrej Mosnacek @ 2021-04-28 10:54 UTC (permalink / raw)
To: Paul Moore; +Cc: SElinux list
On Tue, Apr 27, 2021 at 10:15 PM Paul Moore <paul@paul-moore.com> wrote:
> Starting with Linux v5.12 CAP_SETFCAP is required to map UID 0/root.
> This is due to kernel commit db2e718a4798 ("capabilities: require
> CAP_SETFCAP to map uid 0"). In order to resolve this in the test
> suite allow the cap_userns test domains to exercise the setfcap
> capability.
>
> Signed-off-by: Paul Moore <paul@paul-moore.com>
> ---
> policy/test_cap_userns.te | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/policy/test_cap_userns.te b/policy/test_cap_userns.te
> index ab74325..9683870 100644
> --- a/policy/test_cap_userns.te
> +++ b/policy/test_cap_userns.te
> @@ -12,6 +12,9 @@ unconfined_runs_test(test_cap_userns_t)
> typeattribute test_cap_userns_t testdomain;
> typeattribute test_cap_userns_t capusernsdomain;
>
> +# linux >= v5.12 needs setfcap to map UID 0
> +allow capusernsdomain self:capability setfcap;
> +
> # This domain is allowed sys_admin on non-init userns for mount.
> allow test_cap_userns_t self:cap_userns sys_admin;
Thanks! Would you mind if I move the new rule to the end of the file
(where other rules for the attribute live) and tweak the subject line?
The final commit is available for preview here:
https://github.com/WOnder93/selinux-testsuite/commit/fd4254f09316f6db0410a9187cb8866571f109b5
--
Ondrej Mosnacek
Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 2] testsuite: fix cap_userns for kernels >= v5.12
2021-04-28 10:54 ` Ondrej Mosnacek
@ 2021-04-28 14:11 ` Paul Moore
2021-04-28 14:27 ` Ondrej Mosnacek
0 siblings, 1 reply; 4+ messages in thread
From: Paul Moore @ 2021-04-28 14:11 UTC (permalink / raw)
To: Ondrej Mosnacek; +Cc: SElinux list
On Wed, Apr 28, 2021 at 6:54 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> On Tue, Apr 27, 2021 at 10:15 PM Paul Moore <paul@paul-moore.com> wrote:
> > Starting with Linux v5.12 CAP_SETFCAP is required to map UID 0/root.
> > This is due to kernel commit db2e718a4798 ("capabilities: require
> > CAP_SETFCAP to map uid 0"). In order to resolve this in the test
> > suite allow the cap_userns test domains to exercise the setfcap
> > capability.
> >
> > Signed-off-by: Paul Moore <paul@paul-moore.com>
> > ---
> > policy/test_cap_userns.te | 3 +++
> > 1 file changed, 3 insertions(+)
> >
> > diff --git a/policy/test_cap_userns.te b/policy/test_cap_userns.te
> > index ab74325..9683870 100644
> > --- a/policy/test_cap_userns.te
> > +++ b/policy/test_cap_userns.te
> > @@ -12,6 +12,9 @@ unconfined_runs_test(test_cap_userns_t)
> > typeattribute test_cap_userns_t testdomain;
> > typeattribute test_cap_userns_t capusernsdomain;
> >
> > +# linux >= v5.12 needs setfcap to map UID 0
> > +allow capusernsdomain self:capability setfcap;
> > +
> > # This domain is allowed sys_admin on non-init userns for mount.
> > allow test_cap_userns_t self:cap_userns sys_admin;
>
> Thanks! Would you mind if I move the new rule to the end of the file
> (where other rules for the attribute live) and tweak the subject line?
> The final commit is available for preview here:
> https://github.com/WOnder93/selinux-testsuite/commit/fd4254f09316f6db0410a9187cb8866571f109b5
Sure, do whatever you think is best; you can even replace my little
patch with another that you like better. My main concern is just
making sure the test suite is fixed and working :)
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 2] testsuite: fix cap_userns for kernels >= v5.12
2021-04-28 14:11 ` Paul Moore
@ 2021-04-28 14:27 ` Ondrej Mosnacek
0 siblings, 0 replies; 4+ messages in thread
From: Ondrej Mosnacek @ 2021-04-28 14:27 UTC (permalink / raw)
To: Paul Moore; +Cc: SElinux list
On Wed, Apr 28, 2021 at 4:11 PM Paul Moore <paul@paul-moore.com> wrote:
> On Wed, Apr 28, 2021 at 6:54 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> > On Tue, Apr 27, 2021 at 10:15 PM Paul Moore <paul@paul-moore.com> wrote:
> > > Starting with Linux v5.12 CAP_SETFCAP is required to map UID 0/root.
> > > This is due to kernel commit db2e718a4798 ("capabilities: require
> > > CAP_SETFCAP to map uid 0"). In order to resolve this in the test
> > > suite allow the cap_userns test domains to exercise the setfcap
> > > capability.
> > >
> > > Signed-off-by: Paul Moore <paul@paul-moore.com>
> > > ---
> > > policy/test_cap_userns.te | 3 +++
> > > 1 file changed, 3 insertions(+)
> > >
> > > diff --git a/policy/test_cap_userns.te b/policy/test_cap_userns.te
> > > index ab74325..9683870 100644
> > > --- a/policy/test_cap_userns.te
> > > +++ b/policy/test_cap_userns.te
> > > @@ -12,6 +12,9 @@ unconfined_runs_test(test_cap_userns_t)
> > > typeattribute test_cap_userns_t testdomain;
> > > typeattribute test_cap_userns_t capusernsdomain;
> > >
> > > +# linux >= v5.12 needs setfcap to map UID 0
> > > +allow capusernsdomain self:capability setfcap;
> > > +
> > > # This domain is allowed sys_admin on non-init userns for mount.
> > > allow test_cap_userns_t self:cap_userns sys_admin;
> >
> > Thanks! Would you mind if I move the new rule to the end of the file
> > (where other rules for the attribute live) and tweak the subject line?
> > The final commit is available for preview here:
> > https://github.com/WOnder93/selinux-testsuite/commit/fd4254f09316f6db0410a9187cb8866571f109b5
>
> Sure, do whatever you think is best; you can even replace my little
> patch with another that you like better. My main concern is just
> making sure the test suite is fixed and working :)
Ok, I have just pushed it:
https://github.com/SELinuxProject/selinux-testsuite/commit/fd4254f09316f6db0410a9187cb8866571f109b5
--
Ondrej Mosnacek
Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-04-28 14:27 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-27 20:15 [PATCH 2] testsuite: fix cap_userns for kernels >= v5.12 Paul Moore
2021-04-28 10:54 ` Ondrej Mosnacek
2021-04-28 14:11 ` Paul Moore
2021-04-28 14:27 ` Ondrej Mosnacek
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.