Allow userdomain get attributes of files on an nsfs filesystem

[zpytela]

The commit addresses the following AVC denial: type=PROCTITLE msg=audit(22.2.2024 23:42:03.003:742) : proctitle=pstree type=PATH msg=audit(22.2.2024 23:42:03.003:742) : item=0 name=/proc/4139/ns/cgroup inode=4026531835 dev=00:04 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:nsfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=SYSCALL msg=audit(22.2.2024 23:42:03.003:742) : arch=x86_64 syscall=newfstatat success=yes exit=0 a0=AT_FDCWD a1=0x7ffc200aed00 a2=0x7ffc200aed40 a3=0x0 items=1 ppid=7788 pid=55219 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=pts13 ses=7 comm=pstree exe=/usr/bin/pstree subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(22.2.2024 23:42:03.003:742) : avc: denied { getattr } for pid=55219 comm=pstree path=cgroup:[4026531835] dev="nsfs" ino=4026531835 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=1

[packit-as-a-service[bot]]

Cockpit tests failed for commit a139d8b6203d0fbb2425361cb3e2d42508ddf7f2. @martinpitt, @jelly, @mvollmer please check.

[martinpitt]

That f40 failure smelled like a kernel issue, may be https://bugzilla.redhat.com/show_bug.cgi?id=2256433 -- it's a bit hard to tell as the VM got corrupted and eventually timed out, so we don't have any journals. The retry failed again though.

This is a bit suspicious -- f40/testing farm just ran in https://github.com/cockpit-project/cockpit/pull/20088 and it passed.

So retrying once more, perhaps just really bad luck?

[martinpitt]

OK, third time's the charm! :sweat: