From 7420494018f451ed2bb7f25ad0662c3090b4a57f Mon Sep 17 00:00:00 2001 From: Milos Malik Date: Jan 29 2021 13:50:37 +0000 Subject: test if rtkit-daemon can do sys_nice in user namespaces SELinux prevents the rtkit-daemon process from setting nice value. I believe this access is harmless from security point-of-view and should be allowed. The TC is not able to reproduce the issue, but it looks for an appropriate SELinux policy rule. The TC covers BZ#1750024, BZ#1910507 and other duplicates. --- diff --git a/selinux-policy/rtkit-daemon-and-similar/Makefile b/selinux-policy/rtkit-daemon-and-similar/Makefile index a3328e9..4e5588f 100644 --- a/selinux-policy/rtkit-daemon-and-similar/Makefile +++ b/selinux-policy/rtkit-daemon-and-similar/Makefile @@ -66,7 +66,15 @@ $(METADATA): Makefile @echo "Bug: 1626982" >> $(METADATA) # RHEL-7 @echo "Bug: 1703241" >> $(METADATA) # RHEL-8 @echo "Bug: 1720546" >> $(METADATA) # RHEL-7 + @echo "Bug: 1750024" >> $(METADATA) # Fedora 30 + @echo "Bug: 1752583" >> $(METADATA) # Fedora 31 + @echo "Bug: 1754408" >> $(METADATA) # Fedora 30 + @echo "Bug: 1755572" >> $(METADATA) # Fedora 30 + @echo "Bug: 1756755" >> $(METADATA) # Fedora 30 + @echo "Bug: 1758097" >> $(METADATA) # Fedora 30 + @echo "Bug: 1760214" >> $(METADATA) # Fedora 29 @echo "Bug: 1873658" >> $(METADATA) # RHEL-8 + @echo "Bug: 1910507" >> $(METADATA) # RHEL-8 rhts-lint $(METADATA) diff --git a/selinux-policy/rtkit-daemon-and-similar/runtest.sh b/selinux-policy/rtkit-daemon-and-similar/runtest.sh index a0d647b..b6e88e8 100755 --- a/selinux-policy/rtkit-daemon-and-similar/runtest.sh +++ b/selinux-policy/rtkit-daemon-and-similar/runtest.sh @@ -91,6 +91,11 @@ rlJournalStart rlPhaseStartTest "bz#1873658" rlSESearchRule "allow rtkit_daemon_t rtkit_daemon_t : cap_userns { sys_ptrace } [ ]" rlPhaseEnd + + rlPhaseStartTest "bz#1750024 + bz#1910507" + # this bug has many duplicates among Fedora bugs + rlSESearchRule "allow rtkit_daemon_t rtkit_daemon_t : cap_userns { sys_nice } [ ]" + rlPhaseEnd fi if ! rlIsRHEL 5 6 ; then