From caadab746cf0b1dae4b089426462227476d72c3e Mon Sep 17 00:00:00 2001 From: Milos Malik Date: Apr 16 2021 07:23:56 +0000 Subject: test if systemd-modules-load can read files under /sys/firmware/efi According to several BZ reports, the systemd-modules-load program wants to read /sys/firmware/efi/efivars/SecureBoot-* files. Unfortunately, SELinux policy denies that access. The TC reproduces the issue on machines where the EFI variable FS is mounted (the /sys/firmware/efi/efivars/ directory exists). I believe the access is needed for correct function of the systemd-modules-load service. The TC looks for appropriate policy rule. The TC covers BZ#1819161 and its duplicates. --- diff --git a/selinux-policy/systemd-modules-load-and-similar/Makefile b/selinux-policy/systemd-modules-load-and-similar/Makefile index aeca98e..97e3bb3 100644 --- a/selinux-policy/systemd-modules-load-and-similar/Makefile +++ b/selinux-policy/systemd-modules-load-and-similar/Makefile @@ -74,7 +74,12 @@ $(METADATA): Makefile @echo "Bug: 1697632" >> $(METADATA) # Fedora 30 @echo "Bug: 1698200" >> $(METADATA) # Fedora 30 @echo "Bug: 1699559" >> $(METADATA) # Fedora 30 + @echo "Bug: 1819161" >> $(METADATA) # Fedora 32 @echo "Bug: 1823246" >> $(METADATA) # RHEL-8 + @echo "Bug: 1824196" >> $(METADATA) # Fedora 32 + @echo "Bug: 1829700" >> $(METADATA) # Fedora 32 + @echo "Bug: 1833502" >> $(METADATA) # Fedora 32 + @echo "Bug: 1838933" >> $(METADATA) # Fedora 32 rhts-lint $(METADATA) diff --git a/selinux-policy/systemd-modules-load-and-similar/runtest.sh b/selinux-policy/systemd-modules-load-and-similar/runtest.sh index b345047..4c896ba 100755 --- a/selinux-policy/systemd-modules-load-and-similar/runtest.sh +++ b/selinux-policy/systemd-modules-load-and-similar/runtest.sh @@ -99,6 +99,12 @@ rlJournalStart rlSESearchRule "allow systemd_modules_load_t bin_t : file { execute execute_no_trans map } [ ]" rlPhaseEnd + rlPhaseStartTest "bz#1819161 + bz#1824196 + bz#1829700 + bz#1833502 + bz#1838933" + rlSEMatchPathCon "/sys/firmware/efi" "efivarfs_t" + rlSESearchRule "allow systemd_modules_load_t efivarfs_t : file { getattr open read } [ ]" + rlSESearchRule "allow systemd_resolved_t efivarfs_t : file { getattr open read } [ ]" + rlPhaseEnd + rlPhaseStartTest "real scenario -- standalone service" rlRun "echo ${ROOT_PASSWORD} | passwd --stdin root" rlRun "echo ${KERNEL_MODULE} > /etc/modules-load.d/${KERNEL_MODULE}.conf"