What were you trying to do that didn't work?

When enabling poly-instantiation for /tmp and /var/tmp, and fapolicyd is enabled on the system, users can execute their own (untrusted) binaries, whereas they should be blocked:

[user@vm-fapolicyd9 ~]$ cp /usr/bin/ls .
[user@vm-fapolicyd9 ~]$ ./ls
ls

whereas below behavior is expected:

[user@vm-fapolicyd9 ~]$ cp /usr/bin/ls .
[user@vm-fapolicyd9 ~]$ ./ls
-bash: ./ls: Operation not permitted

To make this works, fapolicyd requires its configuration to be tuned in /etc/fapolicyd/fapolicyd.conf:

allow_filesystem_mark = 1

This is fine on RHEL9, but has no effect on RHEL8.

Please provide the package NVR for which bug is seen:

fapolicyd-1.3.2-1.el8

How reproducible:

Always

Steps to reproduce

1. Create a user

   # useradd user

2. Enable poly-instantiation

   # tail -3 /etc/security/namespace.conf
   /tmp     /tmp-inst/       	level      root,adm
   /var/tmp /var/tmp/tmp-inst/   	level      root,adm
   #$HOME    $HOME/$USER.inst/     level
   
   # semanage boolean -m polyinstantiation_enabled --on

3. Login as the user and try executing a custom binary

   $ cp /usr/bin/ls .
   $ ./ls
   ls