Comment 6 for bug 1844186

I should add that bug 1839037 is a bug in the subset test introduced in kernel 4.13 (and earlier Ubuntu 4.4 Xenial kernels). Some subsets will properly transition some won't it all depends on what is in the stack being transitioned. The patch fixes it so the all transitions combinations pass correctly. The patch actual allows more transitions under nnp than when it is not applied. The bug does not exist in the 4.17 or later kernel version.

The 5.0 HWE kernel never had the bug addressed in bug 1839037, and did not receive the patch.

The DENY messages above indicate that this is a case of a cross policy namespace check, I am investigating if cross namespace checks are broken.