PR#174: test if RPM database can be initialized anywhere - tests/selinux

tests / selinux

#174 test if RPM database can be initialized anywhere

Closed a year ago by mmalik. Opened 3 years ago by mmalik.

tests/ mmalik/selinux test-rpmdb-initdb into main

test if RPM database can be initialized anywhere

Milos Malik • 3 years ago

cbc8fa2

selinux-policy/rpmdb-and-similar/Makefile

file modified

+3 -1

		`@@ -54,7 +54,7 @@`
		`@echo "Type: Regression" >> $(METADATA)`
		`@echo "TestTime: 10m" >> $(METADATA)`
		`@echo "RunFor: selinux-policy" >> $(METADATA)`
		`- @echo "Requires: audit libselinux libselinux-utils policycoreutils selinux-policy selinux-policy-targeted setools-console initscripts sssd" >> $(METADATA)`
		`+ @echo "Requires: audit libselinux libselinux-utils policycoreutils selinux-policy selinux-policy-targeted setools-console initscripts sssd /usr/sbin/semanage" >> $(METADATA)`
		`@echo "RhtsRequires: library(selinux-policy/common)" >> $(METADATA)`
		`@echo "Environment: AVC_ERROR=+no_avc_check" >> $(METADATA)`
		`@echo "Priority: Normal" >> $(METADATA)`
		`@@ -69,6 +69,8 @@`
		`@echo "Bug: 1900388" >> $(METADATA) # Fedora 33`
		`@echo "Bug: 1900390" >> $(METADATA) # Fedora 33`
		`@echo "Bug: 1900391" >> $(METADATA) # Fedora 33`
		`+ @echo "Bug: 1901961" >> $(METADATA) # Fedora 33`
		`+ @echo "Bug: 1906289" >> $(METADATA) # Fedora 33`

		`rhts-lint $(METADATA)`

selinux-policy/rpmdb-and-similar/runtest.sh

file modified

+17

		`@@ -110,6 +110,23 @@`
		`rlRun "semodule -B"`
		`rlPhaseEnd`

		`+ rlPhaseStartTest "initialize RPM database in unusual location"`
		+ TEST_RPM_DIR=`mktemp -d`
		`+ rlRun "chcon -t rpm_var_lib_t ${TEST_RPM_DIR}"`
		`+ rlRun "rpmdb --initdb --dbpath ${TEST_RPM_DIR}"`
		`+ rlRun "ls -lZ ${TEST_RPM_DIR}"`
		`+ rlRun "rm -rf ${TEST_RPM_DIR}"`
		`+`
		+ TEST_ROOT_DIR=`mktemp -d`
		`+ rlRun "mkdir -p ${TEST_ROOT_DIR}/var/lib/rpm"`
		`+ rlRun "semanage fcontext -a -e / ${TEST_ROOT_DIR}"`
		`+ rlRun "restorecon -Rv ${TEST_ROOT_DIR}"`
		`+ rlRun "rpmdb --initdb --root ${TEST_ROOT_DIR}"`
		`+ rlRun "ls -lRZ ${TEST_ROOT_DIR}"`
		`+ rlRun "rm -rf ${TEST_ROOT_DIR}"`
		`+ rlRun "semanage fcontext -d -e / ${TEST_ROOT_DIR}"`
		`+ rlPhaseEnd`
		`+`
		`rlPhaseStartCleanup`
		`sleep 2`
		`rlSECheckAVC`

mmalik commented 3 years ago

SELinux interferes with the rpmdb program when executed with the
--initdb option and with non-default location supplied via --dbpath
or --root options. These scenarios lead to a RPM database which is
incomplete.

I believe these scenarios are valid and should be allowed in SELinux
policy. This TC reproduces these scenarios and looks for any SELinux
denials that may appear in the meantime.

The TC covers BZ#1901961, BZ#1906289.

rebased onto f080e28b5ce99ef2410b19e4dcb2a8ec8cdb241c

3 years ago

rebased onto 38904b9ef566c665cfcef177c2d5fafa476dc5af

3 years ago

mmalik commented 3 years ago

The TC failed because some policy rule checks related to different bugs failed. Fortunately, no SELinux denials appeared, which means that these checks may be misleading.

mmalik commented 3 years ago

I believe that unusual location for RPM database must be labeled correctly before calling rpmdb. What's your opinion @zpytela ?

zpytela commented 3 years ago

My expectations were the same, refer to
https://bugzilla.redhat.com/show_bug.cgi?id=1901961#c1
but we seem not to have agreement with other developers.

Additionally, the fedora docs would need updating:
https://docs.fedoraproject.org/en-US/Fedora_Draft_Documentation/0.1/html/RPM_Guide/ch04s05s03.html

rebased onto 29645c168fa075a1052c8cb027acc20b33554cde

3 years ago

rebased onto cbc8fa2

3 years ago

Pull-Request has been closed by mmalik

a year ago