From f4761fdb7e7fbfb86ba577a33e7328b0367900cd Mon Sep 17 00:00:00 2001 From: Milos Malik Date: May 20 2021 10:01:59 +0000 Subject: test if usbmuxd can call statfs on /sys/fs/cgroup filesystem Recent testing revealed that the usbmuxd service triggers SELinux denials during its start, because SELinux prevents the usbmuxd process from accessing the /sys/fs/cgroup filesystem. The TC is able to reproduces the situation. I believe this access should be allowed in SELinux policy. The TC looks for appropriate policy rules. The TC covers BZ#1936705. --- diff --git a/selinux-policy/usbmuxd-and-similar/Makefile b/selinux-policy/usbmuxd-and-similar/Makefile index f960b22..c05b47b 100644 --- a/selinux-policy/usbmuxd-and-similar/Makefile +++ b/selinux-policy/usbmuxd-and-similar/Makefile @@ -66,6 +66,7 @@ $(METADATA): Makefile @echo "Bug: 1521054" >> $(METADATA) # RHEL-7 @echo "Bug: 1582205" >> $(METADATA) # RHEL-7 @echo "Bug: 1930992" >> $(METADATA) # Fedora 33 + @echo "Bug: 1936705" >> $(METADATA) # Fedora 34 rhts-lint $(METADATA) diff --git a/selinux-policy/usbmuxd-and-similar/runtest.sh b/selinux-policy/usbmuxd-and-similar/runtest.sh index 9f63eda..2905f19 100755 --- a/selinux-policy/usbmuxd-and-similar/runtest.sh +++ b/selinux-policy/usbmuxd-and-similar/runtest.sh @@ -80,6 +80,11 @@ rlJournalStart rlSESearchRule "allow usbmuxd_t sysfs_t : filesystem { getattr } [ ]" rlPhaseEnd + rlPhaseStartTest "bz#1936705" + rlSEMatchPathCon "/sys/fs/cgroup" "cgroup_t" + rlSESearchRule "allow usbmuxd_t cgroup_t : filesystem { getattr } [ ]" + rlPhaseEnd + rlPhaseStartTest "real scenario" rlRun "echo ${ROOT_PASSWORD} | passwd --stdin root" if ! rlSEDefined ${PROCESS_CONTEXT} ; then