Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp4551540ybb; Tue, 14 Apr 2020 09:27:23 -0700 (PDT) X-Google-Smtp-Source: APiQypJ5KrzFShVZh5Ksol5Tga3T2GDPdp+5IwgkgWgIHA+rQeGvKp3cwEq2Eqg/TksGDQsdUcmk X-Received: by 2002:aa7:c70a:: with SMTP id i10mr3663675edq.241.1586881643161; Tue, 14 Apr 2020 09:27:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1586881643; cv=none; d=google.com; s=arc-20160816; b=I2t//4RjNiOn2l3cAFBrTF5H0Rjwe8d1/RSZyRXbzo4RRSQ8IMRClNQy5hzNLuAQEL ODGFkpF2W9GVVYFWOs38m8EvkF5yDG2MOazzNNVGgtjVe7X3ONR+CD4yZbpHaviJeF/R aU+ZVw7eKPrnkf/LQEt2IW/MfGZU26fLk4/1gbTzBuAY+W0SdAO4bxw5x1WXMp3J79tu SI6GvRwN5g5LQwFuWLLLGAskkMhzsZX5I3yiVM4FsNi4xrYbedFeEdb7peJEP/XxyeFY mMtt/b78R4eDzNY5GPqpPsYyKoOUsi2foPqQeGmXqk6TUt5qEiZhxz52htx/jSCWIqOC laTQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:to:subject:dkim-signature; bh=ojFhNlG3HuutBEu0MDQzozr76Cg4eFXZoP1Xm++Tgz8=; b=06kB/4ZhWI3ZD1+mDmW1ICN0HwN6+ZnJ9qnPqzqB9sS4J+Sp2Lt9W0LjTLrRALrzuS fL45i8yTm3IQdg7LCzGrLWd2JD3y6XkRcRazBLAxynnTIFhdWSJxL1vCtWHrBF+62sZy gS+NM3Aa4RAJ+KPMJUDGwKb7dA595blFQRBj/QV4znyxUYoCcHo4GR8UoDENDegFyNMv bAHQPtnPcMHjkbttLfzgfKwOe2YudUne6rhWqwnUwro2PX1dvdKEXX625De7iSsVGV8w ooYOp0pzwy101eiM+EGalqkn4z8qIs9wCgSiF/iCvElE8fhgkNzWLCfVyfyfCirftZ9T FmjQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=EZ4B9vkt; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id m13si7462922ejc.7.2020.04.14.09.27.18; Tue, 14 Apr 2020 09:27:23 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=EZ4B9vkt; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2407273AbgDNPG2 (ORCPT + 13 others); Tue, 14 Apr 2020 11:06:28 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44122 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2407057AbgDNPGV (ORCPT ); Tue, 14 Apr 2020 11:06:21 -0400 Received: from mail-qt1-x835.google.com (mail-qt1-x835.google.com [IPv6:2607:f8b0:4864:20::835]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2FF51C061A0C for ; Tue, 14 Apr 2020 08:06:21 -0700 (PDT) Received: by mail-qt1-x835.google.com with SMTP id z90so10334436qtd.10 for ; Tue, 14 Apr 2020 08:06:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=ojFhNlG3HuutBEu0MDQzozr76Cg4eFXZoP1Xm++Tgz8=; b=EZ4B9vkt8gvqQLcpQxoQdDx9JrJTcZLs7GM4XAsYJOarSYCDOpWNPtrUuHPXm31wpC 5l3mzjgZKJTiCLMcTM7zv9J+vKWxi80wMeNg3e4zAvr0dWMdkNCNrVgeNGeecDN/4Rnh ieTfTRheTq8ud2oUJGRhEF9x6w3Jo/TRXQbog= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=ojFhNlG3HuutBEu0MDQzozr76Cg4eFXZoP1Xm++Tgz8=; b=o5XI1uMheALyB7gxrfjvyTO07f2TZ2wdAzZX4FWNsAy0tREDKMjJILlePJokQtVrkc YUFRzUcAI4JpR/FOJQRD8eWDRcrW+c3cXDFig+SAEvr+lygkDChGHMLIfjoyG0pRm6FR mVZwPS4HIgB7rebra5n5unSR8leYqrqvZczo1H0pFV+ZEF0HBJ+CJYQgmoTXQJZidqAq il7KBgBhEgCmw9AoG6dSkp/WYqvmuNiAOC1HJvK/UO7xRj/uBQ2IW76nyO+Yufx5hC96 i8lY76C6OmjIEm7GIvZDrE86jGZjoX6Iz41xbbeCYFs4/d6vD3sxL3eFHhGQM/FitFWC T++Q== X-Gm-Message-State: AGi0PuaLg4HSk1U74wCFoG6Bytro/UVz8jP5llTjVwbgbeSpCn/nKoOg fym/PGb32vKAjruVY+lTPyTwP4bAt+A= X-Received: by 2002:ac8:3f19:: with SMTP id c25mr10523605qtk.96.1586876779895; Tue, 14 Apr 2020 08:06:19 -0700 (PDT) Received: from fedora.pebenito.net (pool-108-15-23-247.bltmmd.fios.verizon.net. [108.15.23.247]) by smtp.gmail.com with ESMTPSA id 10sm4656458qtp.4.2020.04.14.08.06.19 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 14 Apr 2020 08:06:19 -0700 (PDT) Subject: Re: what is cap_userns? To: Russell Coker , selinux-refpolicy@vger.kernel.org References: <2010201.2WdYGfYjWX@liv> From: Chris PeBenito Message-ID: Date: Tue, 14 Apr 2020 10:23:22 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.6.0 MIME-Version: 1.0 In-Reply-To: <2010201.2WdYGfYjWX@liv> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 4/10/20 11:21 PM, Russell Coker wrote: > allow sysadm_t self:cap_userns sys_ptrace; > > The above is from audit2allow. Do we need macros to grant all user domains > this sort of access? This is a capability in a user namespace. -- Chris PeBenito