On Mon, Jul 7, 2025 at 4:38 PM Chris PeBenito <pebenito@xxxxxxxx> wrote:
> On 7/7/2025 4:01 PM, Paul Moore wrote:
> >
> > Strictly speaking this is a regression in the kernel, even if the new
> > behavior is correct. I'm CC'ing the SELinux and Reference Policy
> > lists so that the policy devs can take a look and see what impacts
> > there might be to the various public SELinux policies. If this looks
> > like it may be a significant issue, we'll need to work around this
> > with a SELinux "policy capability" or some other compatibility
> > solution.
>
> In refpolicy, there are 34 rules for anon_inode and they all have {
> create read write map } -- none of them have the execute permission. Of
> these, only 4 are explict and could potentially be broken. The
> remaining get it due to being unconfined, thus can be immediately fixed,
> since it's unconfined.
>
> IMO, this is very low impact.
Thanks Chris, I think it's worth leaving the kernel code as-is and
just patching the selinux-testsuite. I'll send out a patch for that
tomorrow.
--
paul-moore.com
