I wonder if perhaps class/type checking was improved and picked up on an existing problem.
Looking at the access vectors, setpgid should have been defined as "class process" [0] but it was mistakenly set to "class capability" [1] like dac_override [2] and setpcap [3].
Once I updated libselinux to the "bad" version, I failed to build neutron. But if I change the definition to "class process setpgid;" it works again.
I wonder if perhaps class/type checking was improved and picked up on an existing problem.
Looking at the access vectors, setpgid should have been defined as "class process" [0] but it was mistakenly set to "class capability" [1] like dac_override [2] and setpcap [3].
Once I updated libselinux to the "bad" version, I failed to build neutron. But if I change the definition to "class process setpgid;" it works again.
[0] https:/ /github. com/fedora- selinux/ selinux- policy/ blob/0846d11/ policy/ flask/access_ vectors# L356 /github. com/redhat- openstack/ openstack- selinux/ blob/8d0bf6c851 aad1cedcc4b38f1 c6fda4c8e62ba81 /os-neutron. te#L23 /github. com/fedora- selinux/ selinux- policy/ blob/0846d11/ policy/ flask/access_ vectors# L144 /github. com/fedora- selinux/ selinux- policy/ blob/0846d11/ policy/ flask/access_ vectors# L151
[1] https:/
[2] https:/
[3] https:/