From da27245fd7ab0df3f69ad58ce8c3b62b1f5367a9 Mon Sep 17 00:00:00 2001 From: Milos Malik Date: Nov 06 2023 16:53:08 +0000 Subject: test if tlp can search /var/lib/snapd/ A lot of reported BZs revealed that SELinux prevents the tlp processes from searching (syscall = newfstatat) under the /var/lib/snapd directory when the snapd package is installed. The TC reproduces the situation. Based on the last comment in BZ#1888699, I believe that SELinux policy should dontaudit the access. The TC looks for appropriate policy rules. The TC covers BZ#2221019 and its duplicates. --- diff --git a/selinux-policy/tlp-and-similar/Makefile b/selinux-policy/tlp-and-similar/Makefile index 386b5bd..ed881d4 100644 --- a/selinux-policy/tlp-and-similar/Makefile +++ b/selinux-policy/tlp-and-similar/Makefile @@ -55,7 +55,7 @@ $(METADATA): Makefile @echo "TestTime: 10m" >> $(METADATA) @echo "RunFor: selinux-policy" >> $(METADATA) @echo "RunFor: tlp" >> $(METADATA) - @echo "Requires: audit libselinux libselinux-utils policycoreutils selinux-policy selinux-policy-targeted setools-console expect openssh-clients tlp rfkill" >> $(METADATA) + @echo "Requires: audit libselinux libselinux-utils policycoreutils selinux-policy selinux-policy-targeted setools-console expect openssh-clients tlp rfkill snapd /usr/sbin/service" >> $(METADATA) @echo "RhtsRequires: library(selinux-policy/common)" >> $(METADATA) @echo "Environment: AVC_ERROR=+no_avc_check" >> $(METADATA) @echo "Priority: Normal" >> $(METADATA) @@ -64,6 +64,7 @@ $(METADATA): Makefile @echo "Destructive: no" >> $(METADATA) @echo "Releases: -RHEL4 -RHEL5" >> $(METADATA) @echo "Bug: 1460481" >> $(METADATA) # RHEL-7 + @echo "Bug: 2221019" >> $(METADATA) # Fedora 38 rhts-lint $(METADATA) diff --git a/selinux-policy/tlp-and-similar/main.fmf b/selinux-policy/tlp-and-similar/main.fmf index 4dca1a4..cc29570 100644 --- a/selinux-policy/tlp-and-similar/main.fmf +++ b/selinux-policy/tlp-and-similar/main.fmf @@ -19,6 +19,8 @@ recommend: - openssh-clients - tlp - rfkill + - snapd + - /usr/sbin/service environment: AVC_ERROR: +no_avc_check duration: 10m @@ -27,17 +29,18 @@ tag: - NoRHEL4 - NoRHEL5 - TIPpass_Security - - TierCandidatesFAIL + - failinfedora - f33friendly - targeted link: - relates: https://bugzilla.redhat.com/show_bug.cgi?id=1460481 + - verifies: https://bugzilla.redhat.com/show_bug.cgi?id=2221019 adjust: - enabled: false when: arch == s390x continue: false - enabled: false - when: distro == rhel-4, rhel-5, rhel-9 + when: distro == rhel-4, rhel-5 continue: false extra-nitrate: TC#0569976 extra-summary: /CoreOS/selinux-policy/Regression/tlp-and-similar diff --git a/selinux-policy/tlp-and-similar/runtest.sh b/selinux-policy/tlp-and-similar/runtest.sh index 469a1db..9e39d97 100755 --- a/selinux-policy/tlp-and-similar/runtest.sh +++ b/selinux-policy/tlp-and-similar/runtest.sh @@ -81,7 +81,16 @@ rlJournalStart rlPhaseEnd fi + if rlSEDefined "snappy_var_lib_t" ; then + rlPhaseStartTest "bz#2221019" + rlSESearchRule "dontaudit tlp_t snappy_var_lib_t : dir { search } [ ]" + rlPhaseEnd + fi + rlPhaseStartTest "real scenario -- standalone service" + if rpm -q snapd >& /dev/null ; then + rlRun "ls -alRZ /var/lib/snapd" + fi rlRun "echo ${ROOT_PASSWORD} | passwd --stdin root" if ! rlSEDefined ${PROCESS_CONTEXT} ; then if rlIsRHEL 5 6 ; then