Re: [PATCH] block: Check ADMIN before NICE for IOPRIO_CLASS_RT

[PATCH] block: Check ADMIN before NICE for IOPRIO_CLASS_RT · Alistair Delva <hidden> · 2021-11-15
Re: [PATCH] block: Check ADMIN before NICE for IOPRIO_CLASS_RT · Ondrej Mosnacek <omosnace@redhat.com> · 2021-11-15
Re: [PATCH] block: Check ADMIN before NICE for IOPRIO_CLASS_RT · Alistair Delva <hidden> · 2021-11-16
Re: [PATCH] block: Check ADMIN before NICE for IOPRIO_CLASS_RT · Casey Schaufler <casey@schaufler-ca.com> · 2021-11-16
Re: [PATCH] block: Check ADMIN before NICE for IOPRIO_CLASS_RT · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2021-11-16
RE: [PATCH] block: Check ADMIN before NICE for IOPRIO_CLASS_RT · David Laight <hidden> · 2021-11-16
Re: [PATCH] block: Check ADMIN before NICE for IOPRIO_CLASS_RT · "Serge E. Hallyn" <serge@hallyn.com> · 2021-11-16
Re: [PATCH] block: Check ADMIN before NICE for IOPRIO_CLASS_RT · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2021-11-16
Re: [PATCH] block: Check ADMIN before NICE for IOPRIO_CLASS_RT · Jens Axboe <axboe@kernel.dk> · 2021-11-16
Re: [PATCH] block: Check ADMIN before NICE for IOPRIO_CLASS_RT · Alistair Delva <hidden> · 2021-11-16

From: Jens Axboe <axboe@kernel.dk>
Date: 2021-11-16 01:22:40
Also in: lkml, selinux, stable

On 11/15/21 10:38 AM, Alistair Delva wrote:

Booting to Android userspace on 5.14 or newer triggers the following
SELinux denial:

avc: denied { sys_nice } for comm="init" capability=23
     scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=capability
     permissive=0

Init is PID 0 running as root, so it already has CAP_SYS_ADMIN. For
better compatibility with older SEPolicy, check ADMIN before NICE.

Seems a bit wonky to me, but the end result is the same. In any case,
this warrants a comment above it detailing why the ordering is
seemingly important.

-- 
Jens Axboe

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help