From a4173b878cde6931647aeaabdd2382e1a2bbe73c Mon Sep 17 00:00:00 2001
From: Topi Miettinen <toiwoton@gmail.com>
Date: Sat, 12 Jun 2021 11:51:09 +0300
Subject: [PATCH] mount.2: document SELinux use of MS_NOSUID mount flag

Using mount flag `MS_NOSUID` also affects SELinux domain transitions but
this has not been documented well.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
---
 man2/mount.2 | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/man2/mount.2 b/man2/mount.2
index d8521880b..d7d5b2ad4 100644
--- a/man2/mount.2
+++ b/man2/mount.2
@@ -220,7 +220,9 @@ Do not allow programs to be executed from this filesystem.
 .TP
 .B MS_NOSUID
 Do not honor set-user-ID and set-group-ID bits or file capabilities
-when executing programs from this filesystem.
+when executing programs from this filesystem. In addition, SELinux domain
+transitions require permission nosuid_transition, which in turn needs
+also policy capability nnp_nosuid_transition.
 .\" (This is a security feature to prevent users executing set-user-ID and
 .\" set-group-ID programs from removable disk devices.)
 .TP