From 30ada8fa616fa77e57cd83414ff2871832067bd0 Mon Sep 17 00:00:00 2001 From: Milos Malik Date: May 20 2021 10:01:59 +0000 Subject: test if usbmuxd can call statfs on /sys filesystem Recent testing revealed that the usbmuxd service triggers SELinux denials during its start. SELinux prevented the usbmuxd process from accessing the /sys filesystem. The TC reproduces the situation. I believe this access should be allowed in SELinux policy. The TC looks for appropriate policy rules. The TC covers BZ#1930992. --- diff --git a/selinux-policy/usbmuxd-and-similar/Makefile b/selinux-policy/usbmuxd-and-similar/Makefile index bb52aaf..f960b22 100644 --- a/selinux-policy/usbmuxd-and-similar/Makefile +++ b/selinux-policy/usbmuxd-and-similar/Makefile @@ -65,6 +65,7 @@ $(METADATA): Makefile @echo "Releases: -RHEL4 -RHEL5 -RHEL6" >> $(METADATA) @echo "Bug: 1521054" >> $(METADATA) # RHEL-7 @echo "Bug: 1582205" >> $(METADATA) # RHEL-7 + @echo "Bug: 1930992" >> $(METADATA) # Fedora 33 rhts-lint $(METADATA) diff --git a/selinux-policy/usbmuxd-and-similar/runtest.sh b/selinux-policy/usbmuxd-and-similar/runtest.sh index 7c9729b..9f63eda 100755 --- a/selinux-policy/usbmuxd-and-similar/runtest.sh +++ b/selinux-policy/usbmuxd-and-similar/runtest.sh @@ -75,6 +75,11 @@ rlJournalStart rlSESearchRule "allow usbmuxd_t udev_var_run_t : file { getattr open read } [ ]" rlPhaseEnd + rlPhaseStartTest "bz#1930992" + rlSEMatchPathCon "/sys" "sysfs_t" + rlSESearchRule "allow usbmuxd_t sysfs_t : filesystem { getattr } [ ]" + rlPhaseEnd + rlPhaseStartTest "real scenario" rlRun "echo ${ROOT_PASSWORD} | passwd --stdin root" if ! rlSEDefined ${PROCESS_CONTEXT} ; then