PR#220: selinux-policy: Add test for bug1942267 - tests/selinux

		`@@ -0,0 +1,7 @@`
		`+ # Minimal Makefile for standard-test-roles-beakerlib`
		`+`
		`+ R="RhtsRequires: perf"`
		`+`
		`+ run:`
		`+ chmod +x runtest.sh`
		`+ ./runtest.sh`

kernel/avc_tracepoint/main.fmf

file added

+27

		`@@ -0,0 +1,27 @@`
		`+ summary: Basic test for SELinux AVC tracepoint support`
		`+ description: \|`
		`+ Tests basic functionality of the built-in kernel tracepoint for audited`
		`+ SELinux denials that has been introduced in kernel v5.10.`
		`+`
		`+ See also:`
		`+ https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=dd8166212d9a2eca3181567c953d5687aea4d7dc`
		`+ contact: Ondrej Mosnacek <omosnace@redhat.com>`
		`+ component:`
		`+ - kernel`
		`+ framework: beakerlib`
		`+ require:`
		`+ - perf`
		`+ duration: 5m`
		`+ tier: 2`
		`+ enabled: true`
		`+ adjust:`
		`+ - enabled: false`
		`+ when: distro < rhel-8.5`
		`+ because: RHEL-8.5 and below are not expected to support this`
		`+ - enabled: false`
		`+ when: distro < fedora-35`
		`+ because: This feature may not be available in kernels in F34 and below`
		`+ link:`
		`+ - verifies: https://bugzilla.redhat.com/show_bug.cgi?id=1954024`
		`+ environment:`
		`+ AVC_ERROR: +no_avc_check`

kernel/avc_tracepoint/runtest.sh

file added

+30

		`@@ -0,0 +1,30 @@`
		`+ #!/bin/bash`
		`+ # vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k`
		`+ # SPDX-License-Identifier: GPLv2`
		`+ # Copyright (c) 2021 Red Hat, Inc.`
		`+ # Author: Ondrej Mosnacek <omosnace@redhat.com>`
		`+`
		`+ # Include Beakerlib environment`
		`+ . /usr/share/beakerlib/beakerlib.sh \|\| exit 1`
		`+`
		`+ rlJournalStart`
		`+ rlPhaseStartSetup`
		`+ rlRun "uname -r"`
		`+ rlPhaseEnd`
		`+`
		`+ rlPhaseStartTest`
		`+ rlAssertExists /sys/kernel/tracing/events/avc/selinux_audited/enable`
		`+ rlRun "perf list \| grep avc:selinux_audited"`
		`+ rlRun "perf record -o perf.data -e avc:selinux_audited \`
		`+ -g --call-graph dwarf \`
		`+ runcon system_u:system_r:kernel_t:s0 echo" 0-255`
		`+ rlRun "perf script -i perf.data"`
		`+ rlAssertGreater "'perf script' output should have more than 0 lines" \`
		`+ "$(perf script -i perf.data \| wc -l)" "0"`
		`+ rlPhaseEnd`
		`+`
		`+ rlPhaseStartCleanup`
		`+ rlRun "rm -f perf.data"`
		`+ rlPhaseEnd`
		`+ rlJournalPrintText`
		`+ rlJournalEnd`

kernel/netlabel_many_ifaces/main.fmf

file modified

+2 -2

		`@@ -14,5 +14,5 @@`
		`enabled: true`
		`adjust:`
		`enabled: false`
		`- when: distro < rhel-7`
		`- because: RHEL-6 and below is too old...`
		`+ when: distro < rhel-8.4`
		`+ because: not fixed below RHEL 8.4...`

kernel/selinux-testsuite/main.fmf

file modified

+12 -6

		`@@ -1,10 +1,16 @@`
		`- path: /kernel/selinux-testsuite`
		`-`
		`summary: Wrapper for selinux-testuite`
		`description: \|`
		`This TC runs a functional test suite for the LSM-based SELinux security module.`
		`- duration: 60m`
		`- tier: 2`
		`+ contact: Milos Malik <mmalik@redhat.com>`
		`+ component:`
		`+ - kernel`
		`+ - selinux-policy`
		`+ framework: beakerlib`
		`+ duration: 1h`
		`+ tier: 1`
		`+ enabled: true`
		`adjust:`
		`- - enabled: false`
		`- when: distro < rhel-5`
		`+ - enabled: false`
		`+ when: distro < rhel-5`
		`+ - enabled: false`
		`+ when: arch = i386`

kernel/selinux-testsuite/runtest.sh

file modified

+15 -13

		`@@ -35,7 +35,7 @@`
		`# This should be updated as needed after verifying that the new version`
		`# doesn't break testing and after applying all necessary tweaks in the TC.`
		`# Run with GIT_BRANCH=master to run the latest upstream version.`
		`- DEFAULT_COMMIT="1defa850ae71bc27c9dd101d19f543a42abc9537"`
		`+ DEFAULT_COMMIT="58eaa31c9e0e0a0567990336ae355b4cd309e6e3"`
		`# Default pull requests to merge before running the test.`
		`# If non-empty, then after checking out GIT_BRANCH the listed upstream pull`
		`# requests (by number) are merged, creating a new temporary local branch.`
		`@@ -328,6 +328,11 @@`
		`rlRun "sed -i '/SUBDIRS += bpf/d;/export CFLAGS += -DHAVE_BPF/d' tests/Makefile" 0 \`
		`"RHEL < 8.2 doesn't ship libbpf => disable BPF subtests"`
		`fi`
		`+ if rlIsRHEL "<9"; then`
		`+ # CONFIG_KEY_DH_OPERATIONS not enabled on RHEL-8 :(`
		`+ # on RHEL-7, KEYCTL_DH_COMPUTE is not defined in the header`
		`+ exclude_tests+=" keys"`
		`+ fi`

		`rlRun "sed -i 's/tm\.tv_sec = [0-9];/tm.tv_sec = $NETWORK_TIMEOUT;/' ./tests//*.c" 0 \`
		`"Tweak timeout in networking tests" # 2 secs is too little for SCTP test`
		`@@ -375,18 +380,15 @@`
		`rlRun "sed -i 's/SCTP_SEND_FAILED_EVENT/SCTP_STREAM_CHANGE_EVENT + 1/g' tests/sctp/*.c" 0 \`
		`"Fix SCTP test compilation on old RHEL kernels"`
		`fi`
		`- # CONFIG_KEYS_DH_COMPUTE not enabled on RHEL-8 :(`
		`- exclude_tests+=" keys"`
		`-`
		`- # Needs:`
		`- # e4cfa05e9bfe ("selinux: Add xfs quota command types")`
		`- # (not backported to any RHEL at this point - TODO update the check once it is)`
		`- script1='s/\$test_count += 62;/$test_count = 55;/g'`
		`- script2='s/\$quota_checks += 1;/$quota_checks = 0;/g'`
		`- # for some reason this is needed for older RHEL 7 versions...`
		`- script3='s/\$test_count += 69;/$test_count = 55;/g'`
		`- rlRun "sed -i -E -e '$script1' -e '$script2' -e '$script3' tests/filesystem/test" 0 \`
		`- "Apply workaround for missing XFS quota checks"`
		`+ if kver_lt 4.18.0-252; then`
		`+ # 8a4d5985551b [security] selinux: Add xfs quota command types`
		`+ script1='s/\$test_count += 62;/$test_count = 55;/g'`
		`+ script2='s/\$quota_checks += 1;/$quota_checks = 0;/g'`
		`+ # for some reason this is needed for older RHEL 7 versions...`
		`+ script3='s/\$test_count += 69;/$test_count = 55;/g'`
		`+ rlRun "sed -i -E -e '$script1' -e '$script2' -e '$script3' tests/filesystem/test" 0 \`
		`+ "Apply workaround for missing XFS quota checks"`
		`+ fi`
		`fi`

		`# CKI mainline kernels don't ship with module build infrastructure`

kernel/wrong-rules-after-setsebool/Makefile

file added

		`@@ -0,0 +1,7 @@`
		`+ # Minimal Makefile for standard-test-roles-beakerlib`
		`+`
		`+ R="RhtsRequires: policycoreutils setools-console"`
		`+`
		`+ run:`
		`+ chmod +x runtest.sh`
		`+ ./runtest.sh`

kernel/wrong-rules-after-setsebool/main.fmf

file added

+20

		`@@ -0,0 +1,20 @@`
		`+ summary: Regression test for broken rules after setting booleans`
		`+ description: \|`
		`+ Test that conditional rules are not broken after changing SELinux booleans.`
		`+`
		`+ Originally discovered in:`
		`+ https://src.fedoraproject.org/tests/selinux/pull-request/203#comment-71053`
		`+ contact: Ondrej Mosnacek <omosnace@redhat.com>`
		`+ component:`
		`+ - kernel`
		`+ framework: beakerlib`
		`+ require:`
		`+ - policycoreutils`
		`+ - setools-console`
		`+ duration: 5m`
		`+ tier: 2`
		`+ enabled: true`
		`+ adjust:`
		`+ enabled: false`
		`+ when: distro < rhel-7`
		`+ because: RHEL-6 and below are not worth supporting by this test`

kernel/wrong-rules-after-setsebool/runtest.sh

file added

+29

		`@@ -0,0 +1,29 @@`
		`+ #!/bin/bash`
		`+ # vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k`
		`+ # SPDX-License-Identifier: GPLv2`
		`+ # Copyright (c) 2021 Red Hat, Inc.`
		`+ # Author: Ondrej Mosnacek <omosnace@redhat.com>`
		`+`
		`+ # Include Beakerlib environment`
		`+ . /usr/share/beakerlib/beakerlib.sh \|\| exit 1`
		`+`
		`+ rlJournalStart`
		`+ rlPhaseStartSetup`
		`+ rlRun "uname -r"`
		`+ rlPhaseEnd`
		`+`
		`+ rlPhaseStartTest`
		`+ rlRun "sesearch -s ftpd_t -t public_content_rw_t -c dir -p create -A \| \`
		`+ tee sesearch-before.txt"`
		`+ rlRun "setsebool ftpd_anon_write=off ftpd_connect_all_unreserved=off \`
		`+ ftpd_connect_db=off ftpd_full_access=off"`
		`+ rlRun "sesearch -s ftpd_t -t public_content_rw_t -c dir -p create -A \| \`
		`+ tee sesearch-after.txt"`
		`+ rlAssertNotDiffer "sesearch-before.txt" "sesearch-after.txt"`
		`+ rlPhaseEnd`
		`+`
		`+ rlPhaseStartCleanup`
		`+ rlRun "rm -f sesearch-before.txt sesearch-after.txt"`
		`+ rlPhaseEnd`
		`+ rlJournalPrintText`
		`+ rlJournalEnd`

libsepol/Sanity/bz1838257-rpm-scripts-use-deprecated-telinit/Makefile

file added

+72

		`@@ -0,0 +1,72 @@`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+ #`
		`+ # Makefile of /CoreOS/libsepol/Sanity/bz1838257-rpm-scripts-use-deprecated-telinit`
		`+ # Description: The rpm scripts from libsepol uses out of date commands like telinit.`
		`+ # Author: Amith Kumar <apeetham@redhat.com>`
		`+ #`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+ #`
		`+ # Copyright (c) 2010 Red Hat, Inc. All rights reserved.`
		`+ #`
		`+ # This copyrighted material is made available to anyone wishing`
		`+ # to use, modify, copy, or redistribute it subject to the terms`
		`+ # and conditions of the GNU General Public License version 2.`
		`+ #`
		`+ # This program is distributed in the hope that it will be`
		`+ # useful, but WITHOUT ANY WARRANTY; without even the implied`
		`+ # warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR`
		`+ # PURPOSE. See the GNU General Public License for more details.`
		`+ #`
		`+ # You should have received a copy of the GNU General Public`
		`+ # License along with this program; if not, write to the Free`
		`+ # Software Foundation, Inc., 51 Franklin Street, Fifth Floor,`
		`+ # Boston, MA 02110-1301, USA.`
		`+ #`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+`
		`+ export TEST=/CoreOS/libsepol/Sanity/bz1838257-rpm-scripts-use-deprecated-telinit`
		`+ export TESTVERSION=1.0`
		`+`
		`+ BUILT_FILES=`
		`+`
		`+ FILES=$(METADATA) runtest.sh Makefile PURPOSE`
		`+`
		`+ .PHONY: all install download clean`
		`+`
		`+ run: $(FILES) build`
		`+ ./runtest.sh`
		`+`
		`+ build: $(BUILT_FILES)`
		`+ chmod a+x runtest.sh`
		`+`
		`+ clean:`
		`+ rm -f *~ $(BUILT_FILES)`
		`+`
		`+ include /usr/share/rhts/lib/rhts-make.include`
		`+`
		`+ $(METADATA): Makefile`
		`+ @echo "Owner: Amith Kumar <apeetham@redhat.com>" > $(METADATA)`
		`+ @echo "Name: $(TEST)" >> $(METADATA)`
		`+ @echo "TestVersion: $(TESTVERSION)" >> $(METADATA)`
		`+ @echo "Path: $(TEST_DIR)" >> $(METADATA)`
		`+ @echo "Description: The rpm scripts from libsepol uses out of date commands like telinit" >> $(METADATA)`
		`+ @echo "Type: Sanity" >> $(METADATA)`
		`+ @echo "TestTime: 5m" >> $(METADATA)`
		`+ @echo "RunFor: libsepol" >> $(METADATA)`
		`+ @echo "RunFor: libselinux" >> $(METADATA)`
		`+ @echo "RunFor: libsemanage" >> $(METADATA)`
		`+ @echo "Requires: libsepol" >> $(METADATA)`
		`+ @echo "Requires: libsepol-devel" >> $(METADATA)`
		`+ @echo "Requires: libselinux" >> $(METADATA)`
		`+ @echo "Requires: libselinux-devel" >> $(METADATA)`
		`+ @echo "Requires: libsemanage" >> $(METADATA)`
		`+ @echo "Requires: libsemanage-devel" >> $(METADATA)`
		`+ @echo "Requires: pkgconfig" >> $(METADATA)`
		`+ @echo "Priority: Normal" >> $(METADATA)`
		`+ @echo "License: GPLv2" >> $(METADATA)`
		`+ @echo "Confidential: no" >> $(METADATA)`
		`+ @echo "Destructive: no" >> $(METADATA)`
		`+ @echo "Bug: 1838257" >> $(METADATA)`
		`+`
		`+ rhts-lint $(METADATA)`
		`+`

libsepol/Sanity/bz1838257-rpm-scripts-use-deprecated-telinit/PURPOSE

file added

+11

		`@@ -0,0 +1,11 @@`
		`+ PURPOSE of /CoreOS/libsepol/Sanity/bz1838257-rpm-scripts-use-deprecated-telinit`
		`+`
		`+ Description: libsepol rpm scripts use deprecated telinit command`
		`+`
		`+ Author: Amith Kumar <apeetham@redhat.com>`
		`+`
		`+ Bugzilla links:`
		`+ https://bugzilla.redhat.com/show_bug.cgi?id=1838257`
		`+`
		`+ Description of problem:`
		`+ The rpm scripts from the rpm is using out of date commands like telinit.`

libsepol/Sanity/bz1838257-rpm-scripts-use-deprecated-telinit/main.fmf

file added

		`@@ -0,0 +1,2 @@`
		`+ path: /libsepol/Sanity/bz1838257-rpm-scripts-use-deprecated-telinit`
		`+ tier: 1`

libsepol/Sanity/bz1838257-rpm-scripts-use-deprecated-telinit/runtest.sh

file added

+52

		`@@ -0,0 +1,52 @@`
		`+ #!/bin/bash`
		`+ # vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+ #`
		`+ # runtest.sh of /CoreOS/libsepol/Sanity/bz1838257-rpm-scripts-use-deprecated-telinit`
		`+ # Description: The rpm scripts from the rpm is using out of date commands like telinit.`
		`+ # Author: Amith Kumar <apeetham@redhat.com>`
		`+ #`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+ #`
		`+ # Copyright (c) 2010 Red Hat, Inc. All rights reserved.`
		`+ #`
		`+ # This copyrighted material is made available to anyone wishing`
		`+ # to use, modify, copy, or redistribute it subject to the terms`
		`+ # and conditions of the GNU General Public License version 2.`
		`+ #`
		`+ # This program is distributed in the hope that it will be`
		`+ # useful, but WITHOUT ANY WARRANTY; without even the implied`
		`+ # warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR`
		`+ # PURPOSE. See the GNU General Public License for more details.`
		`+ #`
		`+ # You should have received a copy of the GNU General Public`
		`+ # License along with this program; if not, write to the Free`
		`+ # Software Foundation, Inc., 51 Franklin Street, Fifth Floor,`
		`+ # Boston, MA 02110-1301, USA.`
		`+ #`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+`
		`+ # Include rhts environment`
		`+ . /usr/bin/rhts-environment.sh`
		`+ . /usr/share/beakerlib/beakerlib.sh`
		`+`
		`+ PACKAGE=libsepol`
		`+ rlJournalStart`
		`+ rlPhaseStartSetup`
		`+ rlAssertRpm $PACKAGE`
		`+ rlPhaseEnd`
		`+`
		`+ if rlIsFedora '>=33' \|\| rlIsRHEL ">=7" ; then`
		`+ rlPhaseStartTest "libsepol rpm scripts use deprecated telinit command bz#1838257"`
		`+ for COMPONENT in "libsepol" "libsemanage" "libselinux" ; do`
		`+ rlRun "rpm -qa --scripts \$COMPONENT\ 2>&1 \| tee output_file"`
		`+ rlAssertNotGrep "telinit" output_file`
		`+ rlRun "rm -f output_file"`
		`+ done`
		`+ rlPhaseEnd`
		`+ fi`
		`+`
		`+ rlPhaseStartCleanup`
		`+ rlPhaseEnd`
		`+ rlJournalPrintText`
		`+ rlJournalEnd`

policycoreutils/org-selinux-dbus-interfaces/Makefile

file modified

		`@@ -63,3 +63,4 @@`
		`@echo "Bug: 1754873" >> $(METADATA) # RHEL-8`

		`rhts-lint $(METADATA)`
		`+`

policycoreutils/org-selinux-dbus-interfaces/runtest.sh

file modified

+9 -6

		`@@ -91,13 +91,16 @@`
		`rlPhaseEnd`

		`rlPhaseStartTest "org.selinux.change_default_policy"`
		`+ # 1 argument is missing`
		`rlRun "dbus-send --system --print-reply --dest=org.selinux /org/selinux/object org.selinux.change_default_policy" 1`
		`- rlRun "dbus-send --system --print-reply --dest=org.selinux /org/selinux/object org.selinux.change_default_policy string:minimum"`
		`- rlRun "grep SELINUXTYPE=minimum /etc/selinux/config"`
		`- rlRun "dbus-send --system --print-reply --dest=org.selinux /org/selinux/object org.selinux.change_default_policy string:mls"`
		`- rlRun "grep SELINUXTYPE=mls /etc/selinux/config"`
		`- rlRun "dbus-send --system --print-reply --dest=org.selinux /org/selinux/object org.selinux.change_default_policy string:targeted"`
		`- rlRun "grep SELINUXTYPE=targeted /etc/selinux/config"`
		`+ # test existing policies`
		`+ for POLICY_KIND in minimum mls targeted ; do`
		`+ if rpm -q selinux-policy-${POLICY_KIND} ; then`
		`+ rlRun "dbus-send --system --print-reply --dest=org.selinux /org/selinux/object org.selinux.change_default_policy string:${POLICY_KIND}"`
		`+ rlRun "grep SELINUXTYPE=${POLICY_KIND} /etc/selinux/config"`
		`+ fi`
		`+ done`
		`+ # test a non-existent policy`
		`rlRun "dbus-send --system --print-reply --dest=org.selinux /org/selinux/object org.selinux.change_default_policy string:xyz" 1`
		`rlPhaseEnd`

policycoreutils/setfiles_binary/Makefile

file added

+63

		`@@ -0,0 +1,63 @@`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+ #`
		`+ # Makefile of /CoreOS/policycoreutils/Sanity/setfiles_binary`
		`+ # Description: setfiles should allow checking given path against binary policy`
		`+ # Author: Vit Mojzis <vmojzis@redhat.com>`
		`+ #`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+ #`
		`+ # Copyright (c) 2021 Red Hat, Inc.`
		`+ #`
		`+ # This copyrighted material is made available to anyone wishing`
		`+ # to use, modify, copy, or redistribute it subject to the terms`
		`+ # and conditions of the GNU General Public License version 2.`
		`+ #`
		`+ # This program is distributed in the hope that it will be`
		`+ # useful, but WITHOUT ANY WARRANTY; without even the implied`
		`+ # warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR`
		`+ # PURPOSE. See the GNU General Public License for more details.`
		`+ #`
		`+ # You should have received a copy of the GNU General Public`
		`+ # License along with this program; if not, write to the Free`
		`+ # Software Foundation, Inc., 51 Franklin Street, Fifth Floor,`
		`+ # Boston, MA 02110-1301, USA.`
		`+ #`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+`
		`+ export TEST=/CoreOS/policycoreutils/Sanity/setfiles_binary`
		`+ export TESTVERSION=1.0`
		`+`
		`+ BUILT_FILES=`
		`+`
		`+ FILES=$(METADATA) runtest.sh Makefile PURPOSE`
		`+`
		`+ .PHONY: all install download clean`
		`+`
		`+ run: $(FILES) build`
		`+ ./runtest.sh`
		`+`
		`+ build: $(BUILT_FILES)`
		`+ test -x runtest.sh \|\| chmod a+x runtest.sh`
		`+`
		`+ clean:`
		`+ rm -f *~ $(BUILT_FILES)`
		`+`
		`+`
		`+ include /usr/share/rhts/lib/rhts-make.include`
		`+`
		`+ $(METADATA): Makefile`
		`+ @echo "Owner: Vit Mojzis <vmojzis@redhat.com>" > $(METADATA)`
		`+ @echo "Name: $(TEST)" >> $(METADATA)`
		`+ @echo "TestVersion: $(TESTVERSION)" >> $(METADATA)`
		`+ @echo "Path: $(TEST_DIR)" >> $(METADATA)`
		`+ @echo "Description: setfiles should allow checking given path against binary policy" >> $(METADATA)`
		`+ @echo "Type: Sanity" >> $(METADATA)`
		`+ @echo "TestTime: 5m" >> $(METADATA)`
		`+ @echo "RunFor: policycoreutils" >> $(METADATA)`
		`+ @echo "Requires: policycoreutils rpm cpio" >> $(METADATA)`
		`+ @echo "Priority: Normal" >> $(METADATA)`
		`+ @echo "License: GPLv2" >> $(METADATA)`
		`+ @echo "Confidential: no" >> $(METADATA)`
		`+ @echo "Destructive: no" >> $(METADATA)`
		`+ @echo "Bug: 1973754" >> $(METADATA) # RHEL-8`
		`+ rhts-lint $(METADATA)`

policycoreutils/setfiles_binary/PURPOSE

file added

		`@@ -0,0 +1,3 @@`
		`+ PURPOSE of /CoreOS/policycoreutils/Sanity/setfiles_binary`
		`+ Description: Setfiles should allow checking given path against binary policy`
		`+ Author: Vit Mojzis <vmojzis@redhat.com>`

policycoreutils/setfiles_binary/main.fmf

file added

+22

		`@@ -0,0 +1,22 @@`
		`+ summary: setfiles should allow checking given path against binary policy`
		`+ description: >`
		`+ setfiles didn't allow using "-c" parameter (binary policy) when path`
		`+ was specified. Verify that setfiles now gives the same results`
		`+ regardless of weather binary policy was provided.`
		`+ contact: Vit Mojzis <vmojzis@redhat.com>`
		`+ path: /policycoreutils/setfiles_binary`
		`+ component:`
		`+ - policycoreutils`
		`+ framework: beakerlib`
		`+ require:`
		`+ - e2fsprogs`
		`+ - policycoreutils`
		`+ - rpm`
		`+ - cpio`
		`+ duration: 5m`
		`+ tier: 1`
		`+ enabled: true`
		`+ adjust:`
		`+ enabled: false`
		`+ when: distro ~< rhel-8.4`
		`+ because: not expected to be fixed in RHEL-8 below 8.4`

policycoreutils/setfiles_binary/runtest.sh

file added

+75

		`@@ -0,0 +1,75 @@`
		`+ #!/bin/bash`
		`+ # vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+ #`
		`+ # runtest.sh of /CoreOS/policycoreutils/Sanity/setfiles_binary`
		`+ # Description: setfiles should allow checking given path against binary policy`
		`+ # Author: Vit Mojzis <vmojzis@redhat.com>`
		`+ #`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+ #`
		`+ # Copyright (c) 2021 Red Hat, Inc.`
		`+ #`
		`+ # This copyrighted material is made available to anyone wishing`
		`+ # to use, modify, copy, or redistribute it subject to the terms`
		`+ # and conditions of the GNU General Public License version 2.`
		`+ #`
		`+ # This program is distributed in the hope that it will be`
		`+ # useful, but WITHOUT ANY WARRANTY; without even the implied`
		`+ # warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR`
		`+ # PURPOSE. See the GNU General Public License for more details.`
		`+ #`
		`+ # You should have received a copy of the GNU General Public`
		`+ # License along with this program; if not, write to the Free`
		`+ # Software Foundation, Inc., 51 Franklin Street, Fifth Floor,`
		`+ # Boston, MA 02110-1301, USA.`
		`+ #`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+`
		`+ # Include Beaker environment`
		`+ . /usr/share/beakerlib/beakerlib.sh \|\| exit 1`
		`+`
		`+ PACKAGE="policycoreutils"`
		`+`
		`+ rlJournalStart`
		`+ rlPhaseStartSetup`
		`+ rlAssertRpm $PACKAGE`
		`+ rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"`
		`+ rlRun "pushd $TmpDir"`
		+ OUTPUT=`mktemp`
		`+ rlRun "mkdir policy"`
		`+ rlRun "pushd policy"`
		`+ # download and extract selinux-policy-targeted`
		`+ rlRun "dnf download selinux-policy-targeted --downloaddir ."`
		`+ rlRun "rpm2cpio *.rpm \| cpio -idm"`
		`+ rlRun "popd"`
		`+ # create a mockup of root directory structure`
		`+ DIRS="bin boot dev etc home lib lib64 media mnt opt proc root run sbin snap srv sys tmp usr var"`
		`+ rlRun "`
		`+ mkdir testroot`
		`+ for DIR in ${DIRS}; do`
		`+ mkdir -p testroot/\${DIR}`
		`+ done`
		`+ "`
		`+ rlRun "ls -lZ testroot"`
		`+ rlPhaseEnd`
		`+`
		`+ rlPhaseStartTest "setfiles should allow checking given path against binary policy - bz#1973754"`
		`+ DIR=$(pwd)`
		`+ # run setfiles using system policy`
		`+ rlRun "setfiles -r '$DIR/testroot' -nvF /etc/selinux/targeted/contexts/files/file_contexts '$DIR/testroot' &> setfilesout"`
		`+ POLICY=$(find "$DIR/policy/etc/selinux/targeted/policy/" -name "policy.*")`
		`+ # run the same command using the extracted policy`
		`+ rlRun "setfiles -r '$DIR/testroot' -nvF -c '$POLICY' '$DIR/policy/etc/selinux/targeted/contexts/files/file_contexts' '$DIR/testroot' &> setfilesout2"`
		`+ rlRun "diff setfilesout setfilesout2" 0`
		`+ if [ ! $? -eq 0 ] ; then`
		`+ rlRun "cat setfilesout"`
		`+ rlRun "cat setfilesout2"`
		`+ fi`
		`+ rlPhaseEnd`
		`+ rlPhaseStartCleanup`
		`+ rlRun "popd"`
		`+ rlRun "rm -r $TmpDir" 0 "Removing tmp directory"`
		`+ rlPhaseEnd`
		`+ rlJournalPrintText`
		`+ rlJournalEnd`

selinux-policy/Library/common/lib.sh

file modified

		`@@ -1285,6 +1285,13 @@`

		`}`

		`+ function rlSEConfigureSSH () {`
		`+ rlFileBackup /etc/ssh/sshd_config`
		`+ rlRun "sed -i 's/^.PermitRootLogin.$/PermitRootLogin yes/' /etc/ssh/sshd_config"`
		`+ rlRun "sed -i 's/^.PasswordAuthentication.$/PasswordAuthentication yes/' /etc/ssh/sshd_config"`
		`+ rlRun "service sshd restart"`
		`+ }`
		`+`
		`true <<'=cut'`
		`=pod`

selinux-policy/accounts-daemon-and-similar/Makefile

file added

+85

		`@@ -0,0 +1,85 @@`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+ #`
		`+ # Makefile of /CoreOS/selinux-policy/Regression/accounts-daemon-and-similar`
		`+ # Description: SELinux interferes with accounts daemon and related programs`
		`+ # Author: Milos Malik <mmalik@redhat.com>`
		`+ #`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+ #`
		`+ # Copyright (c) 2012 Red Hat, Inc. All rights reserved.`
		`+ #`
		`+ # This copyrighted material is made available to anyone wishing`
		`+ # to use, modify, copy, or redistribute it subject to the terms`
		`+ # and conditions of the GNU General Public License version 2.`
		`+ #`
		`+ # This program is distributed in the hope that it will be`
		`+ # useful, but WITHOUT ANY WARRANTY; without even the implied`
		`+ # warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR`
		`+ # PURPOSE. See the GNU General Public License for more details.`
		`+ #`
		`+ # You should have received a copy of the GNU General Public`
		`+ # License along with this program; if not, write to the Free`
		`+ # Software Foundation, Inc., 51 Franklin Street, Fifth Floor,`
		`+ # Boston, MA 02110-1301, USA.`
		`+ #`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+`
		`+ export TEST=/CoreOS/selinux-policy/Regression/accounts-daemon-and-similar`
		`+ export TESTVERSION=1.0`
		`+`
		`+ BUILT_FILES=`
		`+`
		`+ FILES=$(METADATA) runtest.sh Makefile PURPOSE`
		`+`
		`+ .PHONY: all install download clean`
		`+`
		`+ run: $(FILES) build`
		`+ ./runtest.sh`
		`+`
		`+ build: $(BUILT_FILES)`
		`+ chmod a+x runtest.sh`
		`+ chcon -t bin_t runtest.sh`
		`+`
		`+ clean:`
		`+ rm -f *~ $(BUILT_FILES)`
		`+`
		`+ include /usr/share/rhts/lib/rhts-make.include`
		`+`
		`+ $(METADATA): Makefile`
		`+ @echo "Owner: Milos Malik <mmalik@redhat.com>" > $(METADATA)`
		`+ @echo "Name: $(TEST)" >> $(METADATA)`
		`+ @echo "TestVersion: $(TESTVERSION)" >> $(METADATA)`
		`+ @echo "Path: $(TEST_DIR)" >> $(METADATA)`
		`+ @echo "Description: SELinux interferes with accounts daemon and related programs" >> $(METADATA)`
		`+ @echo "Type: Regression" >> $(METADATA)`
		`+ @echo "TestTime: 10m" >> $(METADATA)`
		`+ @echo "RunFor: accountsservice" >> $(METADATA)`
		`+ @echo "RunFor: selinux-policy" >> $(METADATA)`
		`+ @echo "Requires: audit libselinux libselinux-utils policycoreutils selinux-policy selinux-policy-targeted setools-console accountsservice glib2 procps-ng realmd initscripts" >> $(METADATA)`
		`+ @echo "RhtsRequires: library(selinux-policy/common)" >> $(METADATA)`
		`+ @echo "Priority: Normal" >> $(METADATA)`
		`+ @echo "License: GPLv2" >> $(METADATA)`
		`+ @echo "Confidential: no" >> $(METADATA)`
		`+ @echo "Destructive: no" >> $(METADATA)`
		`+ @echo "Environment: AVC_ERROR=+no_avc_check" >> $(METADATA)`
		`+ @echo "Releases: -RHEL4 -RHELServer5 -RHELClient5 -RHEL6" >> $(METADATA)`
		`+ @echo "Bug: 1456760" >> $(METADATA) # RHEL-7`
		`+ @echo "Bug: 1507089" >> $(METADATA) # RHEL-7`
		`+ @echo "Bug: 1518211" >> $(METADATA) # RHEL-7`
		`+ @echo "Bug: 1595667" >> $(METADATA) # RHEL-7`
		`+ @echo "Bug: 1792895" >> $(METADATA) # RHEL-8`
		`+ @echo "Bug: 1806126" >> $(METADATA) # Fedora 32`
		`+ @echo "Bug: 1811407" >> $(METADATA) # Fedora 32`
		`+ @echo "Bug: 1815312" >> $(METADATA) # Fedora 32`
		`+ @echo "Bug: 1818696" >> $(METADATA) # Fedora 32`
		`+ @echo "Bug: 1819040" >> $(METADATA) # Fedora 32`
		`+ @echo "Bug: 1820978" >> $(METADATA) # Fedora 32`
		`+ @echo "Bug: 1820992" >> $(METADATA) # Fedora 32`
		`+ @echo "Bug: 1821156" >> $(METADATA) # RHEL-8`
		`+ @echo "Bug: 1828809" >> $(METADATA) # RHEL-8`
		`+ @echo "Bug: 1829013" >> $(METADATA) # Fedora 32`
		`+ @echo "Bug: 1829075" >> $(METADATA) # Fedora 32`
		`+ @echo "Bug: 1829128" >> $(METADATA) # Fedora 32`
		`+`
		`+ rhts-lint $(METADATA)`
		`+`

selinux-policy/accounts-daemon-and-similar/PURPOSE

file added

		`@@ -0,0 +1,5 @@`
		`+ PURPOSE of /CoreOS/selinux-policy/Regression/accounts-daemon-and-similar`
		`+ Author: Milos Malik <mmalik@redhat.com>`
		`+`
		`+ SELinux interferes with accounts daemon and related programs.`
		`+`

selinux-policy/accounts-daemon-and-similar/main.fmf

file added

		`@@ -0,0 +1,3 @@`
		`+ path: /selinux-policy/accounts-daemon-and-similar`
		`+ tier: 2`
		`+`

selinux-policy/accounts-daemon-and-similar/runtest.sh

file added

+149

		`@@ -0,0 +1,149 @@`
		`+ #!/bin/bash`
		`+ # vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+ #`
		`+ # runtest.sh of /CoreOS/selinux-policy/Regression/accounts-daemon-and-similar`
		`+ # Description: SELinux interferes with accounts daemon and related programs`
		`+ # Author: Milos Malik <mmalik@redhat.com>`
		`+ #`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+ #`
		`+ # Copyright (c) 2012 Red Hat, Inc. All rights reserved.`
		`+ #`
		`+ # This copyrighted material is made available to anyone wishing`
		`+ # to use, modify, copy, or redistribute it subject to the terms`
		`+ # and conditions of the GNU General Public License version 2.`
		`+ #`
		`+ # This program is distributed in the hope that it will be`
		`+ # useful, but WITHOUT ANY WARRANTY; without even the implied`
		`+ # warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR`
		`+ # PURPOSE. See the GNU General Public License for more details.`
		`+ #`
		`+ # You should have received a copy of the GNU General Public`
		`+ # License along with this program; if not, write to the Free`
		`+ # Software Foundation, Inc., 51 Franklin Street, Fifth Floor,`
		`+ # Boston, MA 02110-1301, USA.`
		`+ #`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+`
		`+ # Include Beaker environment`
		`+ . /usr/bin/rhts-environment.sh \|\| exit 1`
		`+ . /usr/share/beakerlib/beakerlib.sh \|\| exit 1`
		`+`
		`+ PACKAGE="selinux-policy"`
		`+ ROOT_PASSWORD="redhat"`
		`+ FILE_PATH="/usr/libexec/accounts-daemon"`
		`+ FILE_CONTEXT="accountsd_exec_t"`
		`+ SERVICE_PACKAGE="accountsservice"`
		`+ SERVICE_NAME="accounts-daemon"`
		`+ PROCESS_NAME="accounts-daemon"`
		`+ PROCESS_CONTEXT="accountsd_t"`
		`+`
		`+ rlJournalStart`
		`+ rlPhaseStartSetup`
		`+ rlRun "rlImport 'selinux-policy/common'"`
		`+ rlSESatisfyRequires`
		`+ rlAssertRpm ${PACKAGE}`
		`+ rlAssertRpm ${PACKAGE}-targeted`
		`+ rlAssertRpm ${SERVICE_PACKAGE}`
		`+`
		`+ rlServiceStop ${SERVICE_NAME}`
		`+ rlFileBackup /etc/shadow`
		`+`
		`+ rlSESetEnforce`
		`+ rlSEStatus`
		`+ rlSESetTimestamp`
		`+ sleep 2`
		`+ rlPhaseEnd`
		`+`
		`+ rlPhaseStartTest "SELinux contexts and rules"`
		`+ if rlIsRHEL 5 ; then`
		`+ SOURCE_TYPE="initrc_t"`
		`+ BOOLEANS="[ ]" # a boolean name`
		`+ elif rlIsRHEL 6 ; then`
		`+ SOURCE_TYPE="initrc_t"`
		`+ else # RHEL-7 etc.`
		`+ SOURCE_TYPE="init_t" # systemd runs the process`
		`+ fi`
		`+ rlSEMatchPathCon "${FILE_PATH}" "${FILE_CONTEXT}"`
		`+ rlSESearchRule "allow ${SOURCE_TYPE} ${FILE_CONTEXT} : file { getattr open read execute }"`
		`+ rlSESearchRule "allow ${SOURCE_TYPE} ${PROCESS_CONTEXT} : process { transition }"`
		`+ rlSESearchRule "type_transition ${SOURCE_TYPE} ${FILE_CONTEXT} : process ${PROCESS_CONTEXT}"`
		`+ rlPhaseEnd`
		`+`
		`+ rlPhaseStartTest "bz#1456760 + bz#1518211"`
		`+ rlSEMatchPathCon "/usr/libexec/accounts-daemon" "accountsd_exec_t"`
		`+ rlSEMatchPathCon "/root" "admin_home_t"`
		`+ rlSESearchRule "dontaudit accountsd_t admin_home_t : dir { write } [ ]"`
		`+ rlPhaseEnd`
		`+`
		`+ rlPhaseStartTest "bz#1507089"`
		`+ rlSEMatchPathCon "/usr/libexec/accounts-daemon" "accountsd_exec_t"`
		`+ rlSESearchRule "allow accountsd_t accountsd_t : capability { dac_read_search } [ ]"`
		`+ rlPhaseEnd`
		`+`
		`+ if ! rlIsRHEL 5 6 ; then`
		`+ rlPhaseStartTest "bz#1595667"`
		`+ rlSEMatchPathCon "/usr/sbin/useradd" "useradd_exec_t"`
		`+ rlSESearchRule "allow accountsd_t useradd_exec_t : file { map } [ ]"`
		`+ rlPhaseEnd`
		`+ fi`
		`+`
		`+ if ! rlIsRHEL 5 6 7 ; then`
		`+ rlPhaseStartTest "bz#1792895 + bz#1821156"`
		`+ rlSESearchRule "allow accountsd_t realmd_t : dbus { send_msg } [ ]"`
		`+ rlSESearchRule "allow realmd_t accountsd_t : dbus { send_msg } [ ]"`
		`+ rlPhaseEnd`
		`+`
		`+ rlPhaseStartTest "bz#1828809"`
		`+ for USER_TYPE in user_t staff_t sysadm_t xguest_t unconfined_t ; do`
		`+ rlSESearchRule "allow ${USER_TYPE} accountsd_t : dbus { send_msg } [ ]"`
		`+ rlSESearchRule "allow accountsd_t ${USER_TYPE} : dbus { send_msg } [ ]"`
		`+ done`
		`+ rlPhaseEnd`
		`+ fi`
		`+`
		`+ if ! rlIsRHEL 5 ; then`
		`+ rlPhaseStartTest "real scenario -- DBus service"`
		`+ DESTINATION="org.freedesktop.Accounts"`
		`+ rlRun "gdbus introspect --system --object-path / --dest ${DESTINATION} >& /dev/null"`
		`+ sleep 1`
		`+ rlRun "ps -efZ \| grep -v grep \| grep ${PROCESS_NAME}"`
		`+ rlRun "ps -efZ \| grep -v grep \| grep \"${PROCESS_CONTEXT}.*${PROCESS_NAME}\""`
		`+ rlPhaseEnd`
		`+ fi`
		`+`
		`+ if rlIsFedora ; then`
		`+ rlPhaseStartTest "bz#1806126, bz#1811407, bz#1815312, bz#1818696, bz#1819040, bz#1820978, bz#1820992, bz#1829013, bz#1829075, bz#1829128"`
		`+ rlSEMatchPathCon "/usr/libexec/accounts-daemon" "accountsd_exec_t"`
		`+ rlSESearchRule "dontaudit accountsd_t accountsd_t : capability { sys_nice } [ daemons_dontaudit_scheduling ]"`
		`+ rlPhaseEnd`
		`+ fi`
		`+`
		`+ rlPhaseStartTest "real scenario"`
		`+ rlRun "echo ${ROOT_PASSWORD} \| passwd --stdin root"`
		`+ if ! rlSEDefined ${PROCESS_CONTEXT} ; then`
		`+ if rlIsRHEL 5 6 ; then`
		`+ PROCESS_CONTEXT="initrc_t"`
		`+ else`
		`+ PROCESS_CONTEXT="unconfined_service_t"`
		`+ fi`
		`+ fi`
		`+ rlRun "mkdir -p /etc/gdm"`
		`+ rlRun "restorecon -Rv /etc"`
		`+ rlRun "service realmd start" # helps to reproduce BZ#1792895`
		`+ rlSEService ${ROOT_PASSWORD} ${SERVICE_NAME} ${PROCESS_NAME} ${PROCESS_CONTEXT} "start status" 1`
		`+ rlRun "restorecon -Rv /run /var" 0-255`
		`+ rlSEService ${ROOT_PASSWORD} ${SERVICE_NAME} ${PROCESS_NAME} ${PROCESS_CONTEXT} "restart status stop status" 1`
		`+ rlPhaseEnd`
		`+`
		`+ rlPhaseStartCleanup`
		`+ sleep 2`
		`+ rlSECheckAVC`
		`+`
		`+ rlFileRestore`
		`+ rlServiceRestore ${SERVICE_NAME}`
		`+ rlPhaseEnd`
		`+ rlJournalPrintText`
		`+ rlJournalEnd`
		`+`

selinux-policy/acpid-and-similar/Makefile

file added

+74

		`@@ -0,0 +1,74 @@`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+ #`
		`+ # Makefile of /CoreOS/selinux-policy/Regression/acpid-and-similar`
		`+ # Description: SELinux interferes with acpid and related programs`
		`+ # Author: Milos Malik <mmalik@redhat.com>`
		`+ #`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+ #`
		`+ # Copyright (c) 2012 Red Hat, Inc. All rights reserved.`
		`+ #`
		`+ # This copyrighted material is made available to anyone wishing`
		`+ # to use, modify, copy, or redistribute it subject to the terms`
		`+ # and conditions of the GNU General Public License version 2.`
		`+ #`
		`+ # This program is distributed in the hope that it will be`
		`+ # useful, but WITHOUT ANY WARRANTY; without even the implied`
		`+ # warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR`
		`+ # PURPOSE. See the GNU General Public License for more details.`
		`+ #`
		`+ # You should have received a copy of the GNU General Public`
		`+ # License along with this program; if not, write to the Free`
		`+ # Software Foundation, Inc., 51 Franklin Street, Fifth Floor,`
		`+ # Boston, MA 02110-1301, USA.`
		`+ #`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+`
		`+ export TEST=/CoreOS/selinux-policy/Regression/acpid-and-similar`
		`+ export TESTVERSION=1.0`
		`+`
		`+ BUILT_FILES=`
		`+`
		`+ FILES=$(METADATA) runtest.sh Makefile PURPOSE`
		`+`
		`+ .PHONY: all install download clean`
		`+`
		`+ run: $(FILES) build`
		`+ ./runtest.sh`
		`+`
		`+ build: $(BUILT_FILES)`
		`+ chmod a+x runtest.sh`
		`+ chcon -t bin_t runtest.sh`
		`+`
		`+ clean:`
		`+ rm -f *~ $(BUILT_FILES)`
		`+`
		`+ include /usr/share/rhts/lib/rhts-make.include`
		`+`
		`+ $(METADATA): Makefile`
		`+ @echo "Owner: Milos Malik <mmalik@redhat.com>" > $(METADATA)`
		`+ @echo "Name: $(TEST)" >> $(METADATA)`
		`+ @echo "TestVersion: $(TESTVERSION)" >> $(METADATA)`
		`+ @echo "Path: $(TEST_DIR)" >> $(METADATA)`
		`+ @echo "Description: SELinux interferes with acpid and related programs" >> $(METADATA)`
		`+ @echo "Type: Regression" >> $(METADATA)`
		`+ @echo "TestTime: 30m" >> $(METADATA)`
		`+ @echo "RunFor: selinux-policy" >> $(METADATA)`
		`+ @echo "RunFor: acpid" >> $(METADATA)`
		`+ @echo "Requires: audit libselinux libselinux-utils policycoreutils selinux-policy selinux-policy-targeted setools setools-console acpid initscripts" >> $(METADATA)`
		`+ @echo "RhtsRequires: library(selinux-policy/common)" >> $(METADATA)`
		`+ @echo "Priority: Normal" >> $(METADATA)`
		`+ @echo "License: GPLv2" >> $(METADATA)`
		`+ @echo "Confidential: no" >> $(METADATA)`
		`+ @echo "Destructive: no" >> $(METADATA)`
		`+ @echo "Environment: AVC_ERROR=+no_avc_check" >> $(METADATA)`
		`+ @echo "Releases: -RHEL4" >> $(METADATA)`
		`+ @echo "Architectures: i386 x86_64" >> $(METADATA)`
		`+ @echo "Bug: 995898" >> $(METADATA) # RHEL-7`
		`+ @echo "Bug: 1358478" >> $(METADATA) # RHEL-7`
		`+ @echo "Bug: 1468548" >> $(METADATA) # RHEL-7`
		`+ @echo "Bug: 1622417" >> $(METADATA) # RHEL-7`
		`+ @echo "Bug: 1623342" >> $(METADATA) # RHEL-7`
		`+`
		`+ rhts-lint $(METADATA)`
		`+`

selinux-policy/acpid-and-similar/PURPOSE

file added

		`@@ -0,0 +1,5 @@`
		`+ PURPOSE of /CoreOS/selinux-policy/Regression/acpid-and-similar`
		`+ Author: Milos Malik <mmalik@redhat.com>`
		`+`
		`+ SELinux interferes with acpid and related programs`
		`+`

selinux-policy/acpid-and-similar/main.fmf

file added

		`@@ -0,0 +1,2 @@`
		`+ path: /selinux-policy/acpid-and-similar`
		`+ tier: 2`

selinux-policy/acpid-and-similar/runtest.sh

file added

+125

		`@@ -0,0 +1,125 @@`
		`+ #!/bin/bash`
		`+ # vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+ #`
		`+ # runtest.sh of /CoreOS/selinux-policy/Regression/acpid-and-similar`
		`+ # Description: SELinux interferes with acpid and related programs`
		`+ # Author: Milos Malik <mmalik@redhat.com>`
		`+ #`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+ #`
		`+ # Copyright (c) 2012 Red Hat, Inc. All rights reserved.`
		`+ #`
		`+ # This copyrighted material is made available to anyone wishing`
		`+ # to use, modify, copy, or redistribute it subject to the terms`
		`+ # and conditions of the GNU General Public License version 2.`
		`+ #`
		`+ # This program is distributed in the hope that it will be`
		`+ # useful, but WITHOUT ANY WARRANTY; without even the implied`
		`+ # warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR`
		`+ # PURPOSE. See the GNU General Public License for more details.`
		`+ #`
		`+ # You should have received a copy of the GNU General Public`
		`+ # License along with this program; if not, write to the Free`
		`+ # Software Foundation, Inc., 51 Franklin Street, Fifth Floor,`
		`+ # Boston, MA 02110-1301, USA.`
		`+ #`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+`
		`+ # Include Beaker environment`
		`+ . /usr/bin/rhts-environment.sh \|\| exit 1`
		`+ . /usr/share/beakerlib/beakerlib.sh \|\| exit 1`
		`+`
		`+ PACKAGE="selinux-policy"`
		`+ ROOT_PASSWORD="redhat"`
		`+ FILE_PATH="/usr/sbin/acpid"`
		`+ FILE_CONTEXT="apmd_exec_t"`
		`+ SERVICE_PACKAGE="acpid"`
		`+ SERVICE_NAME="acpid"`
		`+ PROCESS_NAME="acpid"`
		`+ PROCESS_CONTEXT="apmd_t"`
		`+`
		`+ rlJournalStart`
		`+ rlPhaseStartSetup`
		`+ rlRun "rlImport 'selinux-policy/common'"`
		`+ rlSESatisfyRequires`
		`+ rlAssertRpm ${PACKAGE}`
		`+ rlAssertRpm ${PACKAGE}-targeted`
		`+ rlAssertRpm ${SERVICE_PACKAGE}`
		`+`
		`+ rlServiceStop ${SERVICE_NAME}`
		`+ rlFileBackup /etc/shadow`
		`+`
		`+ rlSESetEnforce`
		`+ rlSEStatus`
		`+ rlSESetTimestamp`
		`+ sleep 2`
		`+ rlPhaseEnd`
		`+`
		`+ rlPhaseStartTest "SELinux contexts and rules"`
		`+ rlSEMatchPathCon "${FILE_PATH}" "${FILE_CONTEXT}"`
		`+ rlSESearchRule "allow initrc_t ${FILE_CONTEXT} : file { getattr open read execute }"`
		`+ rlSESearchRule "allow initrc_t ${PROCESS_CONTEXT} : process { transition }"`
		`+ rlSESearchRule "type_transition initrc_t ${FILE_CONTEXT} : process ${PROCESS_CONTEXT}"`
		`+ rlPhaseEnd`
		`+`
		`+ if ! rlIsRHEL 5 6 ; then`
		`+ rlPhaseStartTest "bz#995898"`
		`+ rlSEMatchPathCon "/usr/sbin/acpid" "apmd_exec_t"`
		`+ rlSEMatchPathCon "/usr/lib/systemd/system/poweroff.target" "power_unit_file_t"`
		`+ rlSESearchRule "allow apmd_t init_t : dbus { send_msg }"`
		`+ rlSESearchRule "allow init_t apmd_t : dbus { send_msg }"`
		`+ rlSESearchRule "allow apmd_t power_unit_file_t : service { start }"`
		`+ rlPhaseEnd`
		`+`
		`+ rlPhaseStartTest "bz#1358478 + bz#1468548"`
		`+ rlSEMatchPathCon "/usr/sbin/acpid" "apmd_exec_t"`
		`+ rlSESearchRule "allow apmd_t apmd_t : netlink_generic_socket { create setopt bind } [ ]"`
		`+ rlPhaseEnd`
		`+`
		`+ rlPhaseStartTest "bz#1622417 + bz#1623342"`
		`+ rlSEMatchPathCon "/usr/sbin/acpid" "apmd_exec_t"`
		`+ rlSEMatchPathCon "/dev/input/event20" "event_device_t"`
		`+ rlSEMatchPathCon "/dev/input/event21" "event_device_t"`
		`+ rlSEMatchPathCon "/dev/input/event22" "event_device_t"`
		`+ rlSEMatchPathCon "/dev/input/event23" "event_device_t"`
		`+ rlSEMatchPathCon "/dev/input/event24" "event_device_t"`
		`+ rlSEMatchPathCon "/dev/input/event25" "event_device_t"`
		`+ rlSEMatchPathCon "/dev/input/event26" "event_device_t"`
		`+ rlSEMatchPathCon "/dev/input/event27" "event_device_t"`
		`+ rlSEMatchPathCon "/dev/input/event28" "event_device_t"`
		`+ rlSEMatchPathCon "/dev/input/event29" "event_device_t"`
		`+ rlSEMatchPathCon "/dev/input/event30" "event_device_t"`
		`+ rlSESearchRule "allow apmd_t event_device_t : chr_file { getattr open read } [ ]"`
		+ for I in `seq 20 1 30` ; do
		`+ rlRun "sesearch -T -s init_t -t device_t -c chr_file \| grep \"event_device_t.*event$I\""`
		`+ rlRun "sesearch -T -s kernel_t -t device_t -c chr_file \| grep \"event_device_t.*event$I\""`
		`+ rlRun "sesearch -T -s udev_t -t device_t -c chr_file \| grep \"event_device_t.*event$I\""`
		`+ done`
		`+ rlPhaseEnd`
		`+ fi`
		`+`
		`+ rlPhaseStartTest "real scenario"`
		`+ rlRun "echo ${ROOT_PASSWORD} \| passwd --stdin root"`
		`+ if ! rlSEDefined ${PROCESS_CONTEXT} ; then`
		`+ if rlIsRHEL 5 6 ; then`
		`+ PROCESS_CONTEXT="initrc_t"`
		`+ else`
		`+ PROCESS_CONTEXT="unconfined_service_t"`
		`+ fi`
		`+ fi`
		`+ rlSEService ${ROOT_PASSWORD} ${SERVICE_NAME} ${PROCESS_NAME} ${PROCESS_CONTEXT} "start status" 1`
		`+ rlRun "restorecon -Rv /var /run"`
		`+ rlSEService ${ROOT_PASSWORD} ${SERVICE_NAME} ${PROCESS_NAME} ${PROCESS_CONTEXT} "restart status stop status" 1`
		`+ rlPhaseEnd`
		`+`
		`+ rlPhaseStartCleanup`
		`+ sleep 2`
		`+ rlSECheckAVC`
		`+`
		`+ rlFileRestore`
		`+ rlServiceRestore ${SERVICE_NAME}`
		`+ rlPhaseEnd`
		`+ rlJournalPrintText`
		`+ rlJournalEnd`
		`+`

selinux-policy/boltd-and-similar/runtest.sh

file modified

+1 -4

		`@@ -132,10 +132,7 @@`
		`rlPhaseEnd`

		`rlPhaseStartTest "real scenario -- confined users"`
		`- rlFileBackup /etc/ssh/sshd_config`
		`- rlRun "sed -i 's/^.PermitRootLogin.$/PermitRootLogin yes/' /etc/ssh/sshd_config"`
		`- rlRun "sed -i 's/^.PasswordAuthentication.$/PasswordAuthentication yes/' /etc/ssh/sshd_config"`
		`- rlRun "service sshd restart"`
		`+ rlSEConfigureSSH`

		`rlRun "setsebool ssh_sysadm_login on"`
		`rlLog "configuration says not to test SELinux users: ${DENIED_USERS}"`

selinux-policy/bz481628-send-msg-to-dbus/runtest.sh

file modified

		`@@ -130,6 +130,8 @@`
		`rlPhaseEnd`

		`rlPhaseStartTest "real scenario -- user session service"`
		`+ rlSEConfigureSSH`
		`+`
		`rlRun "setsebool ssh_sysadm_login on"`
		`rlRun "setsebool selinuxuser_tcp_server on"`
		`# TODO: guest_u, xguest_u cannot successfully run systemctl`
		`@@ -161,6 +163,9 @@`
		`sleep 2`
		`rlSECheckAVC`
		`rm -f files.txt`
		`+`
		`+ rlFileRestore`
		`+ rlRun "service sshd restart"`
		`rlPhaseEnd`
		`rlJournalPrintText`
		`rlJournalEnd`

selinux-policy/bz624405-pcsc-and-similar/Makefile

file added

+92

		`@@ -0,0 +1,92 @@`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+ #`
		`+ # Makefile of /CoreOS/selinux-policy/Regression/bz624405-pcsc-and-similar`
		`+ # Description: SELinux interferes with pcscd`
		`+ # Author: Milos Malik <mmalik@redhat.com>`
		`+ #`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+ #`
		`+ # Copyright (c) 2021 Red Hat, Inc. All rights reserved.`
		`+ #`
		`+ # This copyrighted material is made available to anyone wishing`
		`+ # to use, modify, copy, or redistribute it subject to the terms`
		`+ # and conditions of the GNU General Public License version 2.`
		`+ #`
		`+ # This program is distributed in the hope that it will be`
		`+ # useful, but WITHOUT ANY WARRANTY; without even the implied`
		`+ # warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR`
		`+ # PURPOSE. See the GNU General Public License for more details.`
		`+ #`
		`+ # You should have received a copy of the GNU General Public`
		`+ # License along with this program; if not, write to the Free`
		`+ # Software Foundation, Inc., 51 Franklin Street, Fifth Floor,`
		`+ # Boston, MA 02110-1301, USA.`
		`+ #`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+`
		`+ export TEST=/CoreOS/selinux-policy/Regression/bz624405-pcsc-and-similar`
		`+ export TESTVERSION=1.0`
		`+`
		`+ BUILT_FILES=`
		`+`
		`+ FILES=$(METADATA) runtest.sh Makefile PURPOSE`
		`+`
		`+ .PHONY: all install download clean`
		`+`
		`+ run: $(FILES) build`
		`+ ./runtest.sh`
		`+`
		`+ build: $(BUILT_FILES)`
		`+ chmod a+x runtest.sh`
		`+ chcon -t bin_t runtest.sh`
		`+`
		`+ clean:`
		`+ rm -f *~ $(BUILT_FILES)`
		`+`
		`+ include /usr/share/rhts/lib/rhts-make.include`
		`+`
		`+ $(METADATA): Makefile`
		`+ @echo "Owner: Milos Malik <mmalik@redhat.com>" > $(METADATA)`
		`+ @echo "Name: $(TEST)" >> $(METADATA)`
		`+ @echo "TestVersion: $(TESTVERSION)" >> $(METADATA)`
		`+ @echo "Path: $(TEST_DIR)" >> $(METADATA)`
		`+ @echo "Description: SELinux interferes with pcscd" >> $(METADATA)`
		`+ @echo "Type: Regression" >> $(METADATA)`
		`+ @echo "TestTime: 15m" >> $(METADATA)`
		`+ @echo "RunFor: selinux-policy" >> $(METADATA)`
		`+ @echo "RunFor: pcsc-lite" >> $(METADATA)`
		`+ @echo "Requires: audit" >> $(METADATA)`
		`+ @echo "Requires: expect" >> $(METADATA)`
		`+ @echo "Requires: grep" >> $(METADATA)`
		`+ @echo "Requires: initscripts" >> $(METADATA)`
		`+ @echo "Requires: libselinux" >> $(METADATA)`
		`+ @echo "Requires: libselinux-utils" >> $(METADATA)`
		`+ @echo "Requires: pcsc-lite" >> $(METADATA)`
		`+ @echo "Requires: policycoreutils" >> $(METADATA)`
		`+ @echo "Requires: procps" >> $(METADATA)`
		`+ @echo "Requires: selinux-policy" >> $(METADATA)`
		`+ @echo "Requires: selinux-policy-mls" >> $(METADATA)`
		`+ @echo "Requires: selinux-policy-targeted" >> $(METADATA)`
		`+ @echo "Requires: setools" >> $(METADATA)`
		`+ @echo "Requires: setools-console" >> $(METADATA)`
		`+ @echo "RhtsRequires: library(selinux-policy/common)" >> $(METADATA)`
		`+ @echo "Priority: Normal" >> $(METADATA)`
		`+ @echo "License: GPLv2" >> $(METADATA)`
		`+ @echo "Confidential: no" >> $(METADATA)`
		`+ @echo "Destructive: no" >> $(METADATA)`
		`+ @echo "Environment: AVC_ERROR=+no_avc_check" >> $(METADATA)`
		`+ @echo "Releases: -RHEL4" >> $(METADATA)`
		`+ @echo "Architectures: i386 ia64 ppc ppc64 x86_64" >> $(METADATA)`
		`+ @echo "Bug: 624405" >> $(METADATA) # RHEL-6`
		`+ @echo "Bug: 752453" >> $(METADATA) # RHEL-6`
		`+ @echo "Bug: 1605641" >> $(METADATA) # RHEL-7`
		`+ @echo "Bug: 1802423" >> $(METADATA) # Fedora 32`
		`+ @echo "Bug: 1805719" >> $(METADATA) # Fedora 32`
		`+ @echo "Bug: 1806129" >> $(METADATA) # Fedora 32`
		`+ @echo "Bug: 1816787" >> $(METADATA) # Fedora 32`
		`+ @echo "Bug: 1818759" >> $(METADATA) # Fedora 32`
		`+ @echo "Bug: 1825182" >> $(METADATA) # Fedora 32`
		`+ @echo "Bug: 1825188" >> $(METADATA) # Fedora 32`
		`+`
		`+ rhts-lint $(METADATA)`
		`+`

selinux-policy/bz624405-pcsc-and-similar/PURPOSE

file added

		`@@ -0,0 +1,5 @@`
		`+ PURPOSE of /CoreOS/selinux-policy/Regression/bz624405-pcsc-and-similar`
		`+ Author: Milos Malik <mmalik@redhat.com>`
		`+`
		`+ SELinux interferes with pcscd and related programs.`
		`+`

selinux-policy/bz624405-pcsc-and-similar/main.fmf

file added

		`@@ -0,0 +1,3 @@`
		`+ path: /selinux-policy/bz624405-pcsc-and-similar`
		`+ tier: 2`
		`+`

selinux-policy/bz624405-pcsc-and-similar/runtest.sh

file added

+118

		`@@ -0,0 +1,118 @@`
		`+ #!/bin/bash`
		`+ # vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+ #`
		`+ # runtest.sh of /CoreOS/selinux-policy/Regression/bz624405-pcsc-and-similar`
		`+ # Description: SELinux interferes with pcscd`
		`+ # Author: Milos Malik <mmalik@redhat.com>`
		`+ #`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+ #`
		`+ # Copyright (c) 2021 Red Hat, Inc. All rights reserved.`
		`+ #`
		`+ # This copyrighted material is made available to anyone wishing`
		`+ # to use, modify, copy, or redistribute it subject to the terms`
		`+ # and conditions of the GNU General Public License version 2.`
		`+ #`
		`+ # This program is distributed in the hope that it will be`
		`+ # useful, but WITHOUT ANY WARRANTY; without even the implied`
		`+ # warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR`
		`+ # PURPOSE. See the GNU General Public License for more details.`
		`+ #`
		`+ # You should have received a copy of the GNU General Public`
		`+ # License along with this program; if not, write to the Free`
		`+ # Software Foundation, Inc., 51 Franklin Street, Fifth Floor,`
		`+ # Boston, MA 02110-1301, USA.`
		`+ #`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+`
		`+ # Include rhts environment`
		`+ . /usr/bin/rhts-environment.sh`
		`+ . /usr/share/beakerlib/beakerlib.sh`
		`+`
		`+ PACKAGE="selinux-policy"`
		`+ ROOT_PASSWORD="redhat"`
		`+ SERVICE_NAME="pcscd"`
		`+ PROCESS_CONTEXT="pcscd_t"`
		`+ PROCESS_NAME="pcscd"`
		`+`
		`+ rlJournalStart`
		`+ rlPhaseStartSetup`
		`+ rlRun "rlImport 'selinux-policy/common'"`
		`+ rlSESatisfyRequires`
		`+ rlAssertRpm ${PACKAGE}`
		`+ rlAssertRpm ${PACKAGE}-mls`
		`+ rlAssertRpm ${PACKAGE}-targeted`
		`+ rlAssertRpm pcsc-lite`
		`+`
		`+ rlServiceStop ${SERVICE_NAME}`
		`+ rlFileBackup /etc/shadow`
		`+`
		`+ rlSESetEnforce`
		`+ rlSEStatus`
		`+ rlSESetTimestamp`
		`+ sleep 2`
		`+ rlPhaseEnd`
		`+`
		`+ rlPhaseStartTest "bz#624405"`
		`+ rlSEMatchPathCon "/usr/sbin/pcscd" "pcscd_exec_t"`
		`+ if rlIsRHEL 5 ; then`
		`+ rlRun "ls -dZ /sys \| grep :sysfs_t"`
		`+ rlRun "ls -dZ /sys/devices \| grep :sysfs_t"`
		`+ rlSESearchRule "allow pcscd_t sysfs_t : dir { getattr search }"`
		`+ else`
		`+ rlSEMatchPathCon "/sys" "sysfs_t"`
		`+ rlSEMatchPathCon "/sys/devices" "sysfs_t"`
		`+ rlSESearchRule "allow pcscd_t sysfs_t : dir { getattr open read search }"`
		`+ rlSESearchRule "allow pcscd_t sysfs_t : file { getattr open read }"`
		`+ fi`
		`+ rlPhaseEnd`
		`+`
		`+ rlPhaseStartTest "bz#752453"`
		`+ rlSEMatchPathCon "/usr/sbin/pcscd" "pcscd_exec_t"`
		`+ rlSESearchRule "allow pcscd_t usb_device_t : chr_file { getattr read write }"`
		`+ rlPhaseEnd`
		`+`
		`+ if ! rlIsRHEL 5 6 7 ; then`
		`+ rlPhaseStartTest "bz#1605641"`
		`+ rlSEMatchPathCon "/usr/sbin/pcscd" "pcscd_exec_t"`
		`+ rlSESearchRule "dontaudit pcscd_t pcscd_t : capability { sys_admin }"`
		`+ rlPhaseEnd`
		`+ fi`
		`+`
		`+ if rlIsFedora ; then`
		`+ rlPhaseStartTest "bz#1806129 + bz#1816787 + bz#1818759 + bz#1825182 + bz#1825188"`
		`+ rlSEMatchPathCon "/usr/sbin/pcscd" "pcscd_exec_t"`
		`+ rlSESearchRule "dontaudit pcscd_t pcscd_t : capability { sys_nice } [ daemons_dontaudit_scheduling ]"`
		`+ rlPhaseEnd`
		`+`
		`+ rlPhaseStartTest "bz#1802423 + bz#1805719"`
		`+ rlSEMatchPathCon "/usr/sbin/pcscd" "pcscd_exec_t"`
		`+ rlSESearchRule "dontaudit pcscd_t pcscd_t : process { setsched } [ ]"`
		`+ rlPhaseEnd`
		`+ fi`
		`+`
		`+ rlPhaseStartTest "real scenario -- bz#624405"`
		`+ rlRun "echo ${ROOT_PASSWORD} \| passwd --stdin root"`
		`+ if ! rlSEDefined ${PROCESS_CONTEXT} ; then`
		`+ if rlIsRHEL 5 6 ; then`
		`+ PROCESS_CONTEXT="initrc_t"`
		`+ else`
		`+ PROCESS_CONTEXT="unconfined_service_t"`
		`+ fi`
		`+ fi`
		`+ rlSEService ${ROOT_PASSWORD} ${SERVICE_NAME} ${PROCESS_NAME} ${PROCESS_CONTEXT} "start status" 1`
		`+ rlRun "restorecon -Rv /run /var" 0-255`
		`+ rlSEService ${ROOT_PASSWORD} ${SERVICE_NAME} ${PROCESS_NAME} ${PROCESS_CONTEXT} "restart status stop status" 1`
		`+ rlPhaseEnd`
		`+`
		`+ rlPhaseStartCleanup`
		`+ sleep 2`
		`+ rlSECheckAVC`
		`+`
		`+ rlFileRestore`
		`+ rlServiceRestore ${SERVICE_NAME}`
		`+ rlPhaseEnd`
		`+ rlJournalPrintText`
		`+ rlJournalEnd`
		`+`

selinux-policy/colord-and-similar/runtest.sh

file modified

+1 -4

		`@@ -74,10 +74,7 @@`

		`if ! rlIsRHEL 5 6 7 ; then`
		`rlPhaseStartTest "real scenario -- user session service"`
		`- rlFileBackup /etc/ssh/sshd_config`
		`- rlRun "sed -i 's/^.PermitRootLogin.$/PermitRootLogin yes/' /etc/ssh/sshd_config"`
		`- rlRun "sed -i 's/^.PasswordAuthentication.$/PasswordAuthentication yes/' /etc/ssh/sshd_config"`
		`- rlRun "service sshd restart"`
		`+ rlSEConfigureSSH`

		`rlRun "setsebool ssh_sysadm_login on"`
		`rlLog "configuration says not to test SELinux users: ${DENIED_USERS}"`

selinux-policy/cups-browsed-and-similar/Makefile

file added

+71

		`@@ -0,0 +1,71 @@`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+ #`
		`+ # Makefile of /CoreOS/selinux-policy/Regression/cups-browsed-and-similar`
		`+ # Description: SELinux interferes with cups-browsed and related programs`
		`+ # Author: Milos Malik <mmalik@redhat.com>`
		`+ #`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+ #`
		`+ # Copyright (c) 2021 Red Hat, Inc. All rights reserved.`
		`+ #`
		`+ # This copyrighted material is made available to anyone wishing`
		`+ # to use, modify, copy, or redistribute it subject to the terms`
		`+ # and conditions of the GNU General Public License version 2.`
		`+ #`
		`+ # This program is distributed in the hope that it will be`
		`+ # useful, but WITHOUT ANY WARRANTY; without even the implied`
		`+ # warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR`
		`+ # PURPOSE. See the GNU General Public License for more details.`
		`+ #`
		`+ # You should have received a copy of the GNU General Public`
		`+ # License along with this program; if not, write to the Free`
		`+ # Software Foundation, Inc., 51 Franklin Street, Fifth Floor,`
		`+ # Boston, MA 02110-1301, USA.`
		`+ #`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+`
		`+ export TEST=/CoreOS/selinux-policy/Regression/cups-browsed-and-similar`
		`+ export TESTVERSION=1.0`
		`+`
		`+ BUILT_FILES=`
		`+`
		`+ FILES=$(METADATA) runtest.sh Makefile PURPOSE`
		`+`
		`+ .PHONY: all install download clean`
		`+`
		`+ run: $(FILES) build`
		`+ ./runtest.sh`
		`+`
		`+ build: $(BUILT_FILES)`
		`+ chmod a+x runtest.sh`
		`+ chcon -t bin_t runtest.sh`
		`+`
		`+ clean:`
		`+ rm -f *~ $(BUILT_FILES)`
		`+`
		`+ include /usr/share/rhts/lib/rhts-make.include`
		`+`
		`+ $(METADATA): Makefile`
		`+ @echo "Owner: Milos Malik <mmalik@redhat.com>" > $(METADATA)`
		`+ @echo "Name: $(TEST)" >> $(METADATA)`
		`+ @echo "TestVersion: $(TESTVERSION)" >> $(METADATA)`
		`+ @echo "Path: $(TEST_DIR)" >> $(METADATA)`
		`+ @echo "Description: SELinux interferes with cups-browsed and related programs" >> $(METADATA)`
		`+ @echo "Type: Regression" >> $(METADATA)`
		`+ @echo "TestTime: 15m" >> $(METADATA)`
		`+ @echo "RunFor: selinux-policy" >> $(METADATA)`
		`+ @echo "RunFor: cups" >> $(METADATA)`
		`+ @echo "Requires: audit libselinux libselinux-utils policycoreutils selinux-policy selinux-policy-targeted setools-console cups-filters cups initscripts" >> $(METADATA)`
		`+ @echo "RhtsRequires: library(selinux-policy/common)" >> $(METADATA)`
		`+ @echo "Priority: Normal" >> $(METADATA)`
		`+ @echo "License: GPLv2" >> $(METADATA)`
		`+ @echo "Confidential: no" >> $(METADATA)`
		`+ @echo "Destructive: no" >> $(METADATA)`
		`+ @echo "Environment: AVC_ERROR=+no_avc_check" >> $(METADATA)`
		`+ @echo "Releases: -RHEL4 -RHELServer5 -RHELClient5 -RHEL6" >> $(METADATA)`
		`+ @echo "Bug: 1395801" >> $(METADATA) # Fedora 26`
		`+ @echo "Bug: 1401634" >> $(METADATA) # Fedora 26`
		`+ @echo "Bug: 1719754" >> $(METADATA) # RHEL-7`
		`+`
		`+ rhts-lint $(METADATA)`
		`+`

selinux-policy/cups-browsed-and-similar/PURPOSE

file added

		`@@ -0,0 +1,5 @@`
		`+ PURPOSE of /CoreOS/selinux-policy/Regression/cups-browsed-and-similar`
		`+ Author: Milos Malik <mmalik@redhat.com>`
		`+`
		`+ SELinux interferes with cups-browsed and related programs.`
		`+`

selinux-policy/cups-browsed-and-similar/main.fmf

file added

		`@@ -0,0 +1,3 @@`
		`+ path: /selinux-policy/cups-browsed-and-similar`
		`+ tier: 2`
		`+`

selinux-policy/cups-browsed-and-similar/runtest.sh

file added

+97

		`@@ -0,0 +1,97 @@`
		`+ #!/bin/bash`
		`+ # vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+ #`
		`+ # runtest.sh of /CoreOS/selinux-policy/Regression/cups-browsed-and-similar`
		`+ # Description: SELinux interferes with cups-browsed and related programs`
		`+ # Author: Milos Malik <mmalik@redhat.com>`
		`+ #`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+ #`
		`+ # Copyright (c) 2021 Red Hat, Inc. All rights reserved.`
		`+ #`
		`+ # This copyrighted material is made available to anyone wishing`
		`+ # to use, modify, copy, or redistribute it subject to the terms`
		`+ # and conditions of the GNU General Public License version 2.`
		`+ #`
		`+ # This program is distributed in the hope that it will be`
		`+ # useful, but WITHOUT ANY WARRANTY; without even the implied`
		`+ # warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR`
		`+ # PURPOSE. See the GNU General Public License for more details.`
		`+ #`
		`+ # You should have received a copy of the GNU General Public`
		`+ # License along with this program; if not, write to the Free`
		`+ # Software Foundation, Inc., 51 Franklin Street, Fifth Floor,`
		`+ # Boston, MA 02110-1301, USA.`
		`+ #`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+`
		`+ # Include Beaker environment`
		`+ . /usr/bin/rhts-environment.sh \|\| exit 1`
		`+ . /usr/share/beakerlib/beakerlib.sh \|\| exit 1`
		`+`
		`+ PACKAGE="selinux-policy"`
		`+ ROOT_PASSWORD="redhat"`
		`+ FILE_PATH="/usr/sbin/cups-browsed"`
		`+ FILE_CONTEXT="cupsd_exec_t"`
		`+ SERVICE_PACKAGE="cups-filters"`
		`+ SERVICE_NAME="cups-browsed"`
		`+ PROCESS_NAME="cups-browsed"`
		`+ PROCESS_CONTEXT="cupsd_t"`
		`+`
		`+ rlJournalStart`
		`+ rlPhaseStartSetup`
		`+ rlRun "rlImport 'selinux-policy/common'"`
		`+ rlSESatisfyRequires`
		`+ rlAssertRpm ${PACKAGE}`
		`+ rlAssertRpm ${PACKAGE}-targeted`
		`+ rlAssertRpm ${SERVICE_PACKAGE}`
		`+`
		`+ rlFileBackup /etc/shadow`
		`+ rlServiceStop ${SERVICE_NAME}`
		`+`
		`+ rlSESetEnforce`
		`+ rlSEStatus`
		`+ rlSESetTimestamp`
		`+ sleep 2`
		`+ rlPhaseEnd`
		`+`
		`+ rlPhaseStartTest "SELinux contexts and rules"`
		`+ rlSEMatchPathCon "${FILE_PATH}" "${FILE_CONTEXT}"`
		`+ rlSESearchRule "allow initrc_t ${FILE_CONTEXT} : file { getattr open read execute }"`
		`+ rlSESearchRule "allow initrc_t ${PROCESS_CONTEXT} : process { transition }"`
		`+ rlSESearchRule "type_transition initrc_t ${FILE_CONTEXT} : process ${PROCESS_CONTEXT}"`
		`+ rlPhaseEnd`
		`+`
		`+ rlPhaseStartTest "bz#1395801 + bz#1401634 + bz#1719754"`
		`+ rlSEMatchPathCon "/usr/sbin/cups-browsed" "cupsd_exec_t"`
		`+ rlSEMatchPathCon "/tmp" "tmp_t"`
		`+ rlSESearchRule "allow cupsd_t tmp_t : dir { write add_name } [ ]"`
		`+ rlSESearchRule "type_transition cupsd_t tmp_t : lnk_file cupsd_tmp_t"`
		`+ rlSESearchRule "allow cupsd_t cupsd_tmp_t : lnk_file { create unlink } [ ]"`
		`+ rlPhaseEnd`
		`+`
		`+ rlPhaseStartTest "real scenario"`
		`+ rlRun "echo ${ROOT_PASSWORD} \| passwd --stdin root"`
		`+ if ! rlSEDefined ${PROCESS_CONTEXT} ; then`
		`+ if rlIsRHEL 5 6 ; then`
		`+ PROCESS_CONTEXT="initrc_t"`
		`+ else`
		`+ PROCESS_CONTEXT="unconfined_service_t"`
		`+ fi`
		`+ fi`
		`+ rlSEService ${ROOT_PASSWORD} ${SERVICE_NAME} ${PROCESS_NAME} ${PROCESS_CONTEXT} "start status" 1`
		`+ rlRun "restorecon -Rv /run /var"`
		`+ rlSEService ${ROOT_PASSWORD} ${SERVICE_NAME} ${PROCESS_NAME} ${PROCESS_CONTEXT} "restart status stop status" 1`
		`+ rlPhaseEnd`
		`+`
		`+ rlPhaseStartCleanup`
		`+ sleep 2`
		`+ rlSECheckAVC`
		`+`
		`+ rlFileRestore`
		`+ rlServiceRestore ${SERVICE_NAME}`
		`+ rlPhaseEnd`
		`+ rlJournalPrintText`
		`+ rlJournalEnd`
		`+`

selinux-policy/cups-lpd-and-similar/Makefile

file added

+71

		`@@ -0,0 +1,71 @@`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+ #`
		`+ # Makefile of /CoreOS/selinux-policy/Regression/cups-lpd-and-similar`
		`+ # Description: SELinux interferes with cups-lpd and related programs`
		`+ # Author: Milos Malik <mmalik@redhat.com>`
		`+ #`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+ #`
		`+ # Copyright (c) 2021 Red Hat, Inc. All rights reserved.`
		`+ #`
		`+ # This copyrighted material is made available to anyone wishing`
		`+ # to use, modify, copy, or redistribute it subject to the terms`
		`+ # and conditions of the GNU General Public License version 2.`
		`+ #`
		`+ # This program is distributed in the hope that it will be`
		`+ # useful, but WITHOUT ANY WARRANTY; without even the implied`
		`+ # warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR`
		`+ # PURPOSE. See the GNU General Public License for more details.`
		`+ #`
		`+ # You should have received a copy of the GNU General Public`
		`+ # License along with this program; if not, write to the Free`
		`+ # Software Foundation, Inc., 51 Franklin Street, Fifth Floor,`
		`+ # Boston, MA 02110-1301, USA.`
		`+ #`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+`
		`+ export TEST=/CoreOS/selinux-policy/Regression/cups-lpd-and-similar`
		`+ export TESTVERSION=1.0`
		`+`
		`+ BUILT_FILES=`
		`+`
		`+ FILES=$(METADATA) runtest.sh Makefile PURPOSE`
		`+`
		`+ .PHONY: all install download clean`
		`+`
		`+ run: $(FILES) build`
		`+ ./runtest.sh`
		`+`
		`+ build: $(BUILT_FILES)`
		`+ chmod a+x runtest.sh`
		`+ chcon -t bin_t runtest.sh`
		`+`
		`+ clean:`
		`+ rm -f *~ $(BUILT_FILES)`
		`+`
		`+ include /usr/share/rhts/lib/rhts-make.include`
		`+`
		`+ $(METADATA): Makefile`
		`+ @echo "Owner: Milos Malik <mmalik@redhat.com>" > $(METADATA)`
		`+ @echo "Name: $(TEST)" >> $(METADATA)`
		`+ @echo "TestVersion: $(TESTVERSION)" >> $(METADATA)`
		`+ @echo "Path: $(TEST_DIR)" >> $(METADATA)`
		`+ @echo "Description: SELinux interferes with cups-lpd and related programs" >> $(METADATA)`
		`+ @echo "Type: Regression" >> $(METADATA)`
		`+ @echo "TestTime: 20m" >> $(METADATA)`
		`+ @echo "RunFor: selinux-policy" >> $(METADATA)`
		`+ @echo "RunFor: cups" >> $(METADATA)`
		`+ @echo "Requires: audit expect policycoreutils-python-utils selinux-policy-devel libselinux libselinux-utils policycoreutils selinux-policy selinux-policy-targeted setools setools-console xinetd nmap-ncat nc net-tools cups-lpd chkconfig initscripts" >> $(METADATA)`
		`+ @echo "RhtsRequires: library(selinux-policy/common)" >> $(METADATA)`
		`+ @echo "Priority: Normal" >> $(METADATA)`
		`+ @echo "License: GPLv2" >> $(METADATA)`
		`+ @echo "Confidential: no" >> $(METADATA)`
		`+ @echo "Destructive: no" >> $(METADATA)`
		`+ @echo "Environment: AVC_ERROR=+no_avc_check" >> $(METADATA)`
		`+ @echo "Releases: -RHEL4" >> $(METADATA)`
		`+ @echo "Bug: 1004198" >> $(METADATA) # RHEL-7`
		`+ @echo "Bug: 1554118" >> $(METADATA) # RHEL-8`
		`+ @echo "Bug: 1919399" >> $(METADATA) # RHEL-8`
		`+`
		`+ rhts-lint $(METADATA)`
		`+`

selinux-policy/cups-lpd-and-similar/PURPOSE

file added

		`@@ -0,0 +1,5 @@`
		`+ PURPOSE of /CoreOS/selinux-policy/Regression/cups-lpd-and-similar`
		`+ Author: Milos Malik <mmalik@redhat.com>`
		`+`
		`+ SELinux interferes with cups-lpd and related programs.`
		`+`

selinux-policy/cups-lpd-and-similar/main.fmf

file added

		`@@ -0,0 +1,3 @@`
		`+ path: /selinux-policy/cups-lpd-and-similar`
		`+ tier: 2`
		`+`

selinux-policy/cups-lpd-and-similar/runtest.sh

file added

+146

		`@@ -0,0 +1,146 @@`
		`+ #!/bin/bash`
		`+ # vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+ #`
		`+ # runtest.sh of /CoreOS/selinux-policy/Regression/cups-lpd-and-similar`
		`+ # Description: SELinux interferes with cups-lpd and related programs`
		`+ # Author: Milos Malik <mmalik@redhat.com>`
		`+ #`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+ #`
		`+ # Copyright (c) 2021 Red Hat, Inc. All rights reserved.`
		`+ #`
		`+ # This copyrighted material is made available to anyone wishing`
		`+ # to use, modify, copy, or redistribute it subject to the terms`
		`+ # and conditions of the GNU General Public License version 2.`
		`+ #`
		`+ # This program is distributed in the hope that it will be`
		`+ # useful, but WITHOUT ANY WARRANTY; without even the implied`
		`+ # warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR`
		`+ # PURPOSE. See the GNU General Public License for more details.`
		`+ #`
		`+ # You should have received a copy of the GNU General Public`
		`+ # License along with this program; if not, write to the Free`
		`+ # Software Foundation, Inc., 51 Franklin Street, Fifth Floor,`
		`+ # Boston, MA 02110-1301, USA.`
		`+ #`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+`
		`+ # Include Beaker environment`
		`+ . /usr/bin/rhts-environment.sh \|\| exit 1`
		`+ . /usr/share/beakerlib/beakerlib.sh \|\| exit 1`
		`+`
		`+ PACKAGE="selinux-policy"`
		`+ ROOT_PASSWORD="redhat"`
		`+ FILE_PATH="/usr/lib/cups/daemon/cups-lpd"`
		`+ FILE_CONTEXT="cupsd_lpd_exec_t"`
		`+ SERVICE_PACKAGE="cups-lpd"`
		`+ SERVICE_NAME="cups-lpd"`
		`+ PROCESS_NAME="cups-lpd"`
		`+ PROCESS_CONTEXT="cupsd_lpd_t"`
		`+`
		`+ rlJournalStart`
		`+ rlPhaseStartSetup`
		`+ rlRun "rlImport 'selinux-policy/common'"`
		`+ # rlSESatisfyRequires`
		`+ rlAssertRpm ${PACKAGE}`
		`+ rlAssertRpm ${PACKAGE}-targeted`
		`+ rlAssertRpm ${SERVICE_PACKAGE}`
		`+`
		`+ if rlIsRHEL 5 6 ; then`
		`+ rlServiceStop ${SERVICE_NAME}`
		`+ else`
		`+ rlSocketStop ${SERVICE_NAME}`
		`+ fi`
		`+`
		`+ rlSESetEnforce`
		`+ rlSEStatus`
		`+ rlSESetTimestamp`
		`+ sleep 2`
		`+ rlPhaseEnd`
		`+`
		`+ rlPhaseStartTest "bz#1004198"`
		`+ if rlIsRHEL 5 ; then`
		`+ SOURCE_TYPE="inetd_t" # xinetd runs the process`
		`+ BOOLEANS="[ cupsd_lpd_disable_trans ]"`
		`+ elif rlIsRHEL 6 ; then`
		`+ SOURCE_TYPE="inetd_t" # xinetd runs the process`
		`+ else # RHEL-7 etc.`
		`+ SOURCE_TYPE="init_t" # systemd runs the process`
		`+ fi`
		`+ rlSEMatchPathCon "${FILE_PATH}" "${FILE_CONTEXT}"`
		`+ rlSEMatchPortCon "tcp" "515" "printer_port_t"`
		`+ rlSESearchRule "allow ${SOURCE_TYPE} ${FILE_CONTEXT} : file { getattr open read execute }"`
		`+ rlSESearchRule "allow ${SOURCE_TYPE} ${PROCESS_CONTEXT} : process { transition } ${BOOLEANS}"`
		`+ rlSESearchRule "type_transition ${SOURCE_TYPE} ${FILE_CONTEXT} : process ${PROCESS_CONTEXT} ${BOOLEANS}"`
		`+ if ! rlIsRHEL 5 6 ; then`
		`+ rlSESearchRule "allow ${PROCESS_CONTEXT} printer_port_t : tcp_socket { name_bind }"`
		`+ fi`
		`+ rlPhaseEnd`
		`+`
		`+ rlPhaseStartTest "bz#1554118"`
		`+ rlSEMatchPathCon "/usr/lib/cups/daemon/cups-lpd" "cupsd_lpd_exec_t"`
		`+ rlSESearchRule "allow init_t cupsd_lpd_t : tcp_socket { create setopt bind listen }"`
		`+ rlPhaseEnd`
		`+`
		`+ rlPhaseStartTest "bz#1919399"`
		`+ rlSEMatchPathCon "/usr/lib/cups/daemon/cups-lpd" "cupsd_lpd_exec_t"`
		`+ rlSEMatchPathCon "/run/cups/cups.sock" "cupsd_var_run_t"`
		`+ rlSESearchRule "allow cupsd_lpd_t cupsd_var_run_t : sock_file { read } [ ]"`
		`+ rlPhaseEnd`
		`+`
		`+ rlPhaseStartTest "real scenario -- BZ#1919399"`
		`+ rlRun "systemctl start cups.service"`
		`+ rlRun "systemctl enable cups-lpd.socket"`
		`+ rlRun "systemctl start cups-lpd.socket"`
		`+ rlRun "lpadmin -p test -E"`
		`+ rlRun "DEVICE_URI=lpd://127.0.0.1/test /usr/lib/cups/backend/lpd 1 user test 1 '' /etc/fstab"`
		`+ sleep 5`
		`+ rlRun "systemctl stop cups-lpd.socket"`
		`+ rlRun "systemctl disable cups-lpd.socket"`
		`+ rlRun "systemctl stop cups.service"`
		`+ rlPhaseEnd`
		`+`
		`+ rlPhaseStartTest "real scenario -- xinetd service"`
		`+ HOST_ADDRESS="127.0.0.1" # IP address or nothing`
		`+ PORT_NUMBER="515" # number or socket path`
		`+ PORT_TYPE="" # default is TCP, otherwise use -u (UDP) or --sctp (SCTP)`
		`+ if rlIsRHEL 5 6 ; then`
		`+ rlRun "chkconfig ${SERVICE_NAME} on"`
		`+ rlRun "service xinetd restart"`
		`+ rlLog "starting provocateur job"`
		`+ ( tail -f - \| nc ${PORT_TYPE} ${HOST_ADDRESS} ${PORT_NUMBER} ) &`
		`+ PROVOCATEUR_PID=$!`
		`+ else`
		`+ rlRun "systemctl enable ${SERVICE_NAME}.socket"`
		`+ rlRun "systemctl start ${SERVICE_NAME}.socket"`
		`+ rlLog "starting provocateur job"`
		`+ ( tail -f - \| ncat ${PORT_TYPE} ${HOST_ADDRESS} ${PORT_NUMBER} ) &`
		`+ PROVOCATEUR_PID=$!`
		`+ fi`
		`+ sleep 1`
		`+ rlRun "netstat -tupan \| grep :${PORT_NUMBER}"`
		`+ rlRun "ps -o pid,user,context,args -C ${PROCESS_NAME}"`
		`+ rlRun "ps -o pid,user,context,args -C ${PROCESS_NAME} \| grep :${PROCESS_CONTEXT}"`
		`+ rlRun "kill ${PROVOCATEUR_PID}"`
		`+ if rlIsRHEL 5 6 ; then`
		`+ rlRun "chkconfig ${SERVICE_NAME} off"`
		`+ rlRun "service xinetd stop"`
		`+ else`
		`+ rlRun "systemctl stop ${SERVICE_NAME}.socket"`
		`+ rlRun "systemctl disable ${SERVICE_NAME}.socket"`
		`+ fi`
		`+ rlPhaseEnd`
		`+`
		`+ rlPhaseStartCleanup`
		`+ sleep 2`
		`+ rlSECheckAVC`
		`+ if rlIsRHEL 5 6 ; then`
		`+ rlServiceRestore ${SERVICE_NAME}`
		`+ else`
		`+ rlSocketRestore ${SERVICE_NAME}`
		`+ fi`
		`+ rlPhaseEnd`
		`+ rlJournalPrintText`
		`+ rlJournalEnd`
		`+`

selinux-policy/cups-pdf-and-similar/runtest.sh

file modified

		`@@ -108,6 +108,8 @@`
		`rlPhaseEnd`

		`rlPhaseStartTest "real scenario -- confined users"`
		`+ rlSEConfigureSSH`
		`+`
		`rlRun "lpadmin -x cups-pdf" 0-255`
		`rlRun "lpadmin -p cups-pdf -v cups-pdf:/ -E -P /usr/share/cups/model/CUPS-PDF_opt.ppd"`
		`rlRun "setsebool ssh_sysadm_login on"`
		`@@ -136,6 +138,7 @@`

		`rlFileRestore`
		`rlServiceRestore ${SERVICE_NAME}`
		`+ rlRun "service sshd restart"`
		`rlPhaseEnd`
		`rlJournalPrintText`
		`rlJournalEnd`

selinux-policy/dmidecode-and-similar/runtest.sh

file modified

+1 -4

		`@@ -109,10 +109,7 @@`
		`rlPhaseEnd`

		`rlPhaseStartTest "real scenario -- confined users"`
		`- rlFileBackup /etc/ssh/sshd_config`
		`- rlRun "sed -i 's/^.PermitRootLogin.$/PermitRootLogin yes/' /etc/ssh/sshd_config"`
		`- rlRun "sed -i 's/^.PasswordAuthentication.$/PasswordAuthentication yes/' /etc/ssh/sshd_config"`
		`- rlRun "service sshd restart"`
		`+ rlSEConfigureSSH`

		`rlRun "setsebool ssh_sysadm_login on"`
		`rlLog "configuration says not to test SELinux users: ${DENIED_USERS}"`

selinux-policy/fapolicyd-and-similar/Makefile

file modified

		`@@ -66,6 +66,7 @@`
		`@echo "Bug: 1865818" >> $(METADATA) # RHEL-8`
		`@echo "Bug: 1874491" >> $(METADATA) # Fedora 33`
		`@echo "Bug: 1876538" >> $(METADATA) # Fedora 33`
		`+ @echo "Bug: 1932225" >> $(METADATA)`

		`rhts-lint $(METADATA)`

selinux-policy/fapolicyd-and-similar/runtest.sh

file modified

+15

		`@@ -88,6 +88,21 @@`
		`rlSESearchRule "allow fapolicyd_t rpm_var_lib_t : file { create } [ ]"`
		`rlPhaseEnd`

		`+ if seinfo --common file -x \| grep -q watch ; then`
		`+ rlPhaseStartTest "bz#1932225"`
		`+ rlSEMatchPathCon "/boot" "boot_t"`
		`+ rlSEMatchPathCon "/" "root_t"`
		`+ rlSEMatchPathCon "/dev/shm" "tmpfs_t"`
		`+ rlSEMatchPathCon "/tmp" "tmp_t"`
		`+ rlSEMatchPathCon "/run/user/0" "user_tmp_t"`
		`+ rlSESearchRule "allow fapolicyd_t boot_t : dir { watch_mount watch_with_perm } [ ]"`
		`+ rlSESearchRule "allow fapolicyd_t root_t : dir { watch_mount watch_with_perm } [ ]"`
		`+ rlSESearchRule "allow fapolicyd_t tmpfs_t : dir { watch_mount watch_with_perm } [ ]"`
		`+ rlSESearchRule "allow fapolicyd_t tmp_t : dir { watch_mount watch_with_perm } [ ]"`
		`+ rlSESearchRule "allow fapolicyd_t user_tmp_t : dir { watch_mount watch_with_perm } [ ]"`
		`+ rlPhaseEnd`
		`+ fi`
		`+`
		`rlPhaseStartTest "real scenario -- standalone service"`
		`rlRun "echo ${ROOT_PASSWORD} \| passwd --stdin root"`
		`if ! rlSEDefined ${PROCESS_CONTEXT} ; then`

selinux-policy/fwupd-and-similar/runtest.sh

file modified

+1 -4

		`@@ -155,10 +155,7 @@`
		`fi`

		`rlPhaseStartTest "real scenario -- confined users -- bz#1772619"`
		`- rlFileBackup /etc/ssh/sshd_config`
		`- rlRun "sed -i 's/^.PermitRootLogin.$/PermitRootLogin yes/' /etc/ssh/sshd_config"`
		`- rlRun "sed -i 's/^.PasswordAuthentication.$/PasswordAuthentication yes/' /etc/ssh/sshd_config"`
		`- rlRun "service sshd restart"`
		`+ rlSEConfigureSSH`

		`rlRun "setsebool ssh_sysadm_login on"`
		`rlLog "configuration says not to test SELinux users: ${DENIED_USERS}"`

selinux-policy/journalctl-and-similar/runtest.sh

file modified

+1 -4

		`@@ -91,10 +91,7 @@`
		`rlPhaseEnd`

		`rlPhaseStartTest "real scenario -- confined users"`
		`- rlFileBackup /etc/ssh/sshd_config`
		`- rlRun "sed -i 's/^.PermitRootLogin.$/PermitRootLogin yes/' /etc/ssh/sshd_config"`
		`- rlRun "sed -i 's/^.PasswordAuthentication.$/PasswordAuthentication yes/' /etc/ssh/sshd_config"`
		`- rlRun "service sshd restart"`
		`+ rlSEConfigureSSH`

		`rlRun "setsebool ssh_sysadm_login on"`
		`rlLog "configuration says not to test SELinux users: ${DENIED_USERS}"`

selinux-policy/kerberos-and-similar/runtest.sh

file modified

-4

		`@@ -67,10 +67,6 @@`
		`rlPhaseStartTest "bz#860666"`
		`rlSEMatchPathCon "/usr/sbin/krb5kdc" "krb5kdc_exec_t"`
		`rlSEMatchPathCon "/usr/sbin/kadmind" "kadmind_exec_t"`
		`- rlSESearchRule "allow krb5kdc_t anon_inodefs_t : file { getattr read write }"`
		`- rlSESearchRule "allow krb5kdc_t anon_inodefs_t : dir { getattr search }"`
		`- rlSESearchRule "allow kadmind_t anon_inodefs_t : file { getattr read write }"`
		`- rlSESearchRule "allow kadmind_t anon_inodefs_t : dir { getattr search }"`
		`rlPhaseEnd`

		`if ! rlIsRHEL 5 6 ; then`

selinux-policy/ladvd/runtest.sh

file modified

		`@@ -33,6 +33,11 @@`
		`PACKAGE="selinux-policy"`

		`rlJournalStart`
		`+ if rlIsRHEL ; then`
		`+ rlLog "Not applicable to this OS version."`
		`+ rlJournalEnd`
		`+ exit 0`
		`+ fi`
		`rlPhaseStartSetup`
		`rlRun "rlImport 'selinux-policy/common'"`
		`rlSESatisfyRequires`

selinux-policy/lockdown-class/Makefile ~~selinux-policy/systemd-modules-load-and-similar/Makefile~~

file renamed

+9 -19

		`@@ -1,7 +1,7 @@`
		`# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`#`
		`- # Makefile of /CoreOS/selinux-policy/Regression/systemd-modules-load-and-similar`
		`- # Description: SELinux interferes with the systemd-modules-load service and related programs`
		`+ # Makefile of /CoreOS/selinux-policy/Sanity/lockdown-class`
		`+ # Description: Is the lockdown class + its permissions defined in SELinux policy?`
		`# Author: Milos Malik <mmalik@redhat.com>`
		`#`
		`# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`@@ -24,7 +24,7 @@`
		`#`
		`# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`

		`- export TEST=/CoreOS/selinux-policy/Regression/systemd-modules-load-and-similar`
		`+ export TEST=/CoreOS/selinux-policy/Sanity/lockdown-class`
		`export TESTVERSION=1.0`

		`BUILT_FILES=`
		`@@ -50,12 +50,11 @@`
		`@echo "Name: $(TEST)" >> $(METADATA)`
		`@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)`
		`@echo "Path: $(TEST_DIR)" >> $(METADATA)`
		`- @echo "Description: SELinux interferes with the systemd-modules-load service and related programs" >> $(METADATA)`
		`- @echo "Type: Regression" >> $(METADATA)`
		`+ @echo "Description: Is the lockdown class + its permissions defined in SELinux policy?" >> $(METADATA)`
		`+ @echo "Type: Sanity" >> $(METADATA)`
		`@echo "TestTime: 10m" >> $(METADATA)`
		`@echo "RunFor: selinux-policy" >> $(METADATA)`
		`- @echo "RunFor: systemd" >> $(METADATA)`
		`- @echo "Requires: audit initscripts libselinux libselinux-utils policycoreutils selinux-policy selinux-policy-targeted setools-console openssh-clients systemd-udev" >> $(METADATA)`
		`+ @echo "Requires: audit libselinux libselinux-utils policycoreutils selinux-policy selinux-policy-targeted setools-console" >> $(METADATA)`
		`@echo "RhtsRequires: library(selinux-policy/common)" >> $(METADATA)`
		`@echo "Environment: AVC_ERROR=+no_avc_check" >> $(METADATA)`
		`@echo "Priority: Normal" >> $(METADATA)`
		`@@ -63,18 +62,9 @@`
		`@echo "Confidential: no" >> $(METADATA)`
		`@echo "Destructive: no" >> $(METADATA)`
		`@echo "Releases: -RHEL4 -RHEL5 -RHEL6 -RHEL7" >> $(METADATA)`
		`- @echo "Bug: 1358526" >> $(METADATA) # Fedora 24`
		`- @echo "Bug: 1358960" >> $(METADATA) # Fedora 24`
		`- @echo "Bug: 1360157" >> $(METADATA) # Fedora 24`
		`- @echo "Bug: 1360488" >> $(METADATA) # Fedora 24`
		`- @echo "Bug: 1437153" >> $(METADATA) # Fedora 25`
		`- @echo "Bug: 1438253" >> $(METADATA) # Fedora 25`
		`- @echo "Bug: 1490015" >> $(METADATA) # Fedora 27`
		`- @echo "Bug: 1493293" >> $(METADATA) # Fedora 27`
		`- @echo "Bug: 1697632" >> $(METADATA) # Fedora 30`
		`- @echo "Bug: 1698200" >> $(METADATA) # Fedora 30`
		`- @echo "Bug: 1699559" >> $(METADATA) # Fedora 30`
		`- @echo "Bug: 1823246" >> $(METADATA) # RHEL-8`
		`+ @echo "Bug: 1915184" >> $(METADATA) # Fedora rawhide`
		`+ @echo "Bug: 1929332" >> $(METADATA) # RHEL-9`
		`+ @echo "Bug: 1933134" >> $(METADATA) # RHEL-9`

		`rhts-lint $(METADATA)`

selinux-policy/lockdown-class/PURPOSE

file added

		`@@ -0,0 +1,5 @@`
		`+ PURPOSE of /CoreOS/selinux-policy/Sanity/lockdown-class`
		`+ Author: Milos Malik <mmalik@redhat.com>`
		`+`
		`+ Description: Is the lockdown class + its permissions defined in SELinux policy?`
		`+`

selinux-policy/lockdown-class/main.fmf

file added

		`@@ -0,0 +1,3 @@`
		`+ path: /selinux-policy/lockdown-class`
		`+ tier: 2`
		`+`

selinux-policy/lockdown-class/runtest.sh

file added

+68

		`@@ -0,0 +1,68 @@`
		`+ #!/bin/bash`
		`+ # vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+ #`
		`+ # runtest.sh of /CoreOS/selinux-policy/Sanity/lockdown-class`
		`+ # Description: Is the lockdown class + its permissions defined in SELinux policy?`
		`+ # Author: Milos Malik <mmalik@redhat.com>`
		`+ #`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+ #`
		`+ # Copyright (c) 2020 Red Hat, Inc. All rights reserved.`
		`+ #`
		`+ # This copyrighted material is made available to anyone wishing`
		`+ # to use, modify, copy, or redistribute it subject to the terms`
		`+ # and conditions of the GNU General Public License version 2.`
		`+ #`
		`+ # This program is distributed in the hope that it will be`
		`+ # useful, but WITHOUT ANY WARRANTY; without even the implied`
		`+ # warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR`
		`+ # PURPOSE. See the GNU General Public License for more details.`
		`+ #`
		`+ # You should have received a copy of the GNU General Public`
		`+ # License along with this program; if not, write to the Free`
		`+ # Software Foundation, Inc., 51 Franklin Street, Fifth Floor,`
		`+ # Boston, MA 02110-1301, USA.`
		`+ #`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+`
		`+ # Include Beaker environment`
		`+ . /usr/bin/rhts-environment.sh \|\| exit 1`
		`+ . /usr/share/beakerlib/beakerlib.sh \|\| exit 1`
		`+`
		`+ PACKAGE="selinux-policy"`
		`+`
		`+ rlJournalStart`
		`+ if rlIsRHEL '<9' ; then`
		`+ rlLog "Not applicable to this OS version."`
		`+ rlJournalEnd`
		`+ exit 0`
		`+ fi`
		`+ rlPhaseStartSetup`
		`+ rlRun "rlImport 'selinux-policy/common'"`
		`+ rlSESatisfyRequires`
		`+ rlAssertRpm ${PACKAGE}`
		`+ rlAssertRpm ${PACKAGE}-targeted`
		`+`
		`+ rlSESetEnforce`
		`+ rlSEStatus`
		`+ rlSESetTimestamp`
		`+ sleep 2`
		`+ rlPhaseEnd`
		`+`
		`+ rlPhaseStartTest "bz#1915184"`
		`+ rlRun "seinfo -c lockdown"`
		`+ rlRun "seinfo -c lockdown -x \| grep confidentiality"`
		`+ rlRun "seinfo -c lockdown -x \| grep integrity"`
		`+ rlPhaseEnd`
		`+`
		`+ rlPhaseStartTest "bz#1929332 + bz#1933134"`
		`+ rlSESearchRule "allow unconfined_t unconfined_t : lockdown { integrity } [ ]"`
		`+ rlPhaseEnd`
		`+`
		`+ rlPhaseStartCleanup`
		`+ sleep 2`
		`+ rlSECheckAVC`
		`+ rlPhaseEnd`
		`+ rlJournalPrintText`
		`+ rlJournalEnd`

selinux-policy/pam_console-and-related/runtest.sh

file modified

		`@@ -77,6 +77,8 @@`
		`fi`

		`rlPhaseStartTest "real scenario -- confined users"`
		`+ rlSEConfigureSSH`
		`+`
		`rlRun "setsebool ssh_sysadm_login on"`
		`rlLog "configuration says not to test SELinux users: ${DENIED_USERS}"`
		`for SELINUX_USER in ${ALLOWED_USERS} ; do`
		`@@ -108,6 +110,7 @@`
		`rlSECheckAVC`

		`rlFileRestore`
		`+ rlRun "service sshd restart"`
		`rlPhaseEnd`
		`rlJournalPrintText`
		`rlJournalEnd`

selinux-policy/pam_limits-and-related/Makefile

file added

+69

		`@@ -0,0 +1,69 @@`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+ #`
		`+ # Makefile of /CoreOS/selinux-policy/Regression/pam_limits-and-related`
		`+ # Description: Does SELinux cooperate with pam_limits.so?`
		`+ # Author: Milos Malik <mmalik@redhat.com>`
		`+ #`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+ #`
		`+ # Copyright (c) 2020 Red Hat, Inc. All rights reserved.`
		`+ #`
		`+ # This copyrighted material is made available to anyone wishing`
		`+ # to use, modify, copy, or redistribute it subject to the terms`
		`+ # and conditions of the GNU General Public License version 2.`
		`+ #`
		`+ # This program is distributed in the hope that it will be`
		`+ # useful, but WITHOUT ANY WARRANTY; without even the implied`
		`+ # warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR`
		`+ # PURPOSE. See the GNU General Public License for more details.`
		`+ #`
		`+ # You should have received a copy of the GNU General Public`
		`+ # License along with this program; if not, write to the Free`
		`+ # Software Foundation, Inc., 51 Franklin Street, Fifth Floor,`
		`+ # Boston, MA 02110-1301, USA.`
		`+ #`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+`
		`+ export TEST=/CoreOS/selinux-policy/Regression/pam_limits-and-related`
		`+ export TESTVERSION=1.0`
		`+`
		`+ BUILT_FILES=`
		`+`
		`+ FILES=$(METADATA) runtest.sh Makefile PURPOSE ssh.exp`
		`+`
		`+ .PHONY: all install download clean`
		`+`
		`+ run: $(FILES) build`
		`+ ./runtest.sh`
		`+`
		`+ build: $(BUILT_FILES)`
		`+ chmod a+x runtest.sh ssh.exp`
		`+ chcon -t bin_t runtest.sh ssh.exp`
		`+`
		`+ clean:`
		`+ rm -f *~ $(BUILT_FILES)`
		`+`
		`+ include /usr/share/rhts/lib/rhts-make.include`
		`+`
		`+ $(METADATA): Makefile`
		`+ @echo "Owner: Milos Malik <mmalik@redhat.com>" > $(METADATA)`
		`+ @echo "Name: $(TEST)" >> $(METADATA)`
		`+ @echo "TestVersion: $(TESTVERSION)" >> $(METADATA)`
		`+ @echo "Path: $(TEST_DIR)" >> $(METADATA)`
		`+ @echo "Description: Does SELinux cooperate with pam_limits.so?" >> $(METADATA)`
		`+ @echo "Type: Regression" >> $(METADATA)`
		`+ @echo "TestTime: 10m" >> $(METADATA)`
		`+ @echo "RunFor: pam" >> $(METADATA)`
		`+ @echo "RunFor: selinux-policy" >> $(METADATA)`
		`+ @echo "Requires: audit libselinux libselinux-utils policycoreutils selinux-policy selinux-policy-targeted setools-console expect openssh-clients pam shadow-utils" >> $(METADATA)`
		`+ @echo "RhtsRequires: library(selinux-policy/common)" >> $(METADATA)`
		`+ @echo "Environment: AVC_ERROR=+no_avc_check" >> $(METADATA)`
		`+ @echo "Priority: Normal" >> $(METADATA)`
		`+ @echo "License: GPLv2" >> $(METADATA)`
		`+ @echo "Confidential: no" >> $(METADATA)`
		`+ @echo "Destructive: no" >> $(METADATA)`
		`+ @echo "Releases: -RHEL4 -RHEL5 -RHEL6 -RHEL7" >> $(METADATA)`
		`+ @echo "Bug: 1958819" >> $(METADATA) # Fedora 34`
		`+`
		`+ rhts-lint $(METADATA)`
		`+`

selinux-policy/pam_limits-and-related/PURPOSE

file added

+10

		`@@ -0,0 +1,10 @@`
		`+ PURPOSE of /CoreOS/selinux-policy/Regression/pam_limits-and-related`
		`+ Author: Milos Malik <mmalik@redhat.com>`
		`+`
		`+ Does SELinux cooperate with pam_limits.so?`
		`+ Confined and unconfined users are tested using SSH.`
		`+`
		`+ This TC uses following parameters which can be overriden:`
		`+ * ALLOWED_USERS - which SELinux users should be tested?`
		`+ * DENIED_USERS - which SELinux users should NOT be tested?`
		`+`

selinux-policy/pam_limits-and-related/main.fmf

file added

		`@@ -0,0 +1,2 @@`
		`+ path: /selinux-policy/pam_limits-and-related`
		`+ tier: 2`

selinux-policy/pam_limits-and-related/runtest.sh

file added

+89

		`@@ -0,0 +1,89 @@`
		`+ #!/bin/bash`
		`+ # vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+ #`
		`+ # runtest.sh of /CoreOS/selinux-policy/Regression/pam_limits-and-related`
		`+ # Description: Does SELinux cooperate with pam_limits.so?`
		`+ # Author: Milos Malik <mmalik@redhat.com>`
		`+ #`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+ #`
		`+ # Copyright (c) 2020 Red Hat, Inc. All rights reserved.`
		`+ #`
		`+ # This copyrighted material is made available to anyone wishing`
		`+ # to use, modify, copy, or redistribute it subject to the terms`
		`+ # and conditions of the GNU General Public License version 2.`
		`+ #`
		`+ # This program is distributed in the hope that it will be`
		`+ # useful, but WITHOUT ANY WARRANTY; without even the implied`
		`+ # warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR`
		`+ # PURPOSE. See the GNU General Public License for more details.`
		`+ #`
		`+ # You should have received a copy of the GNU General Public`
		`+ # License along with this program; if not, write to the Free`
		`+ # Software Foundation, Inc., 51 Franklin Street, Fifth Floor,`
		`+ # Boston, MA 02110-1301, USA.`
		`+ #`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+`
		`+ # Include Beaker environment`
		`+ . /usr/bin/rhts-environment.sh \|\| exit 1`
		`+ . /usr/share/beakerlib/beakerlib.sh \|\| exit 1`
		`+`
		`+ PACKAGE="selinux-policy"`
		`+ SERVICE_PACKAGE="pam"`
		`+ DENIED_USERS=${DENIED_USERS:-""}`
		`+ ALLOWED_USERS=${ALLOWED_USERS:-"guest_u xguest_u user_u staff_u sysadm_u unconfined_u"}`
		`+`
		`+ rlJournalStart`
		`+ rlPhaseStartSetup`
		`+ rlRun "rlImport 'selinux-policy/common'"`
		`+ rlSESatisfyRequires`
		`+ rlAssertRpm ${PACKAGE}`
		`+ rlAssertRpm ${PACKAGE}-targeted`
		`+ rlAssertRpm ${SERVICE_PACKAGE}`
		`+`
		`+ rlFileBackup /etc/shadow`
		`+ rlFileBackup /etc/security/limits.conf`
		`+`
		`+ rlSESetEnforce`
		`+ rlSEStatus`
		`+ rlSESetTimestamp`
		`+ sleep 2`
		`+ rlPhaseEnd`
		`+`
		`+ rlPhaseStartTest "bz#1958819"`
		`+ rlSESearchRule "allow init_t guest_t : process2 { nnp_transition } [ ]"`
		`+ rlSESearchRule "allow init_t staff_t : process2 { nnp_transition } [ ]"`
		`+ rlSESearchRule "allow init_t sysadm_t : process2 { nnp_transition } [ ]"`
		`+ rlSESearchRule "allow init_t unconfined_t : process2 { nnp_transition } [ ]"`
		`+ rlSESearchRule "allow init_t user_t : process2 { nnp_transition } [ ]"`
		`+ rlSESearchRule "allow init_t xguest_t : process2 { nnp_transition } [ ]"`
		`+ rlPhaseEnd`
		`+`
		`+ rlPhaseStartTest "real scenario -- confined users"`
		`+ rlRun "setsebool ssh_sysadm_login on"`
		`+ rlLog "configuration says not to test SELinux users: ${DENIED_USERS}"`
		`+ for SELINUX_USER in ${ALLOWED_USERS} ; do`
		`+ USER_NAME="user${RANDOM}"`
		`+ USER_SECRET="S3kr3t${RANDOM}"`
		`+ rlRun "useradd -Z ${SELINUX_USER} ${USER_NAME}"`
		`+ rlRun "echo ${USER_SECRET} \| passwd --stdin ${USER_NAME}"`
		`+ rlRun "echo \"${USER_NAME} - nonewprivs 1\" >> /etc/security/limits.conf"`
		`+ rlRun "restorecon -RvF /home/${USER_NAME}"`
		`+ rlRun "./ssh.exp ${USER_NAME} ${USER_SECRET} localhost id"`
		`+ rlRun "userdel -rfZ ${USER_NAME}"`
		`+ sleep 10`
		`+ done`
		`+ rlRun "setsebool ssh_sysadm_login off"`
		`+ rlPhaseEnd`
		`+`
		`+ rlPhaseStartCleanup`
		`+ sleep 2`
		`+ rlSECheckAVC`
		`+`
		`+ rlFileRestore`
		`+ rlPhaseEnd`
		`+ rlJournalPrintText`
		`+ rlJournalEnd`
		`+`

selinux-policy/pam_limits-and-related/ssh.exp

file added

+20

		`@@ -0,0 +1,20 @@`
		`+ #!/usr/bin/expect -f`
		`+ # Expect script for SSH logging as $username to $hostname using $password and executing $command.`
		`+ # Usage:`
		`+ # ./ssh.exp username password hostname command`
		`+ set username [lrange $argv 0 0]`
		`+ set password [lrange $argv 1 1]`
		`+ set hostname [lrange $argv 2 2]`
		`+ set command [lrange $argv 3 10]`
		`+ set timeout 15`
		`+ # connect to remote host and execute given command`
		`+ log_user 1`
		`+ spawn ssh -t $username@$hostname $command`
		`+ expect {`
		`+ -nocase "yes/no" { send -- "yes\r" ; exp_continue }`
		`+ -nocase "password" { send -- "$password\r" }`
		`+ }`
		`+ log_user 1`
		`+ # send -- "\r"`
		`+ expect eof`
		`+`

selinux-policy/pam_timestamp-and-related/runtest.sh

file modified

		`@@ -70,6 +70,8 @@`
		`fi`

		`rlPhaseStartTest "real scenario -- confined users"`
		`+ rlSEConfigureSSH`
		`+`
		`rlRun "setsebool ssh_sysadm_login on"`
		`rlRun "mkdir -p ${TIMESTAMP_DIR}"`
		`rlRun "touch ${TIMESTAMP_DIR}/_pam_timestamp_key"`
		`@@ -99,7 +101,9 @@`
		`sleep 2`
		`rlSECheckAVC`
		`rlRun "rm -f ${TIMESTAMP_DIR}/_pam_timestamp_key"`
		`+`
		`rlFileRestore`
		`+ rlRun "service sshd restart"`
		`rlPhaseEnd`
		`rlJournalPrintText`
		`rlJournalEnd`

selinux-policy/perf_event-and-related/runtest.sh

file modified

+2 -5

		`@@ -72,11 +72,8 @@`
		`rlPhaseEnd`

		`rlPhaseStartTest "real scenario -- confined root sysadm_u"`
		`- rlRun "grep -i permit /etc/ssh/sshd_config"`
		`- rlFileBackup /etc/ssh/sshd_config`
		`- rlRun "sed -i 's/^.PermitRootLogin.$/PermitRootLogin yes/' /etc/ssh/sshd_config"`
		`- rlRun "sed -i 's/^.PasswordAuthentication.$/PasswordAuthentication yes/' /etc/ssh/sshd_config"`
		`- rlRun "service sshd restart"`
		`+ rlSEConfigureSSH`
		`+`
		`rlRun "setsebool ssh_sysadm_login on"`
		`USER_NAME="toor"`
		`USER_SECRET="S3kr3t${RANDOM}"`

selinux-policy/ping-and-similar/runtest.sh

file modified

		`@@ -90,6 +90,8 @@`

		`# this phase is useful if you want to run some commands under confined users`
		`rlPhaseStartTest "real scenario -- confined users"`
		`+ rlSEConfigureSSH`
		`+`
		`rlRun "setsebool ssh_sysadm_login on"`
		`rlRun "setsebool user_ping on"`
		`for SELINUX_USER in staff_u user_u sysadm_u unconfined_u ; do`
		`@@ -116,6 +118,7 @@`
		`rlSECheckAVC`

		`rlFileRestore`
		`+ rlRun "service sshd restart"`
		`rlPhaseEnd`
		`rlJournalPrintText`
		`rlJournalEnd`

selinux-policy/policykit-general/Makefile

file added

+77

		`@@ -0,0 +1,77 @@`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+ #`
		`+ # Makefile of /CoreOS/selinux-policy/Regression/policykit-general`
		`+ # Description: Test for BZ#962791 (SELinux is preventing /usr/lib/polkit-1/polkitd)`
		`+ # Author: Michal Trunecka <mtruneck@redhat.com>`
		`+ #`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+ #`
		`+ # Copyright (c) 2013 Red Hat, Inc. All rights reserved.`
		`+ #`
		`+ # This copyrighted material is made available to anyone wishing`
		`+ # to use, modify, copy, or redistribute it subject to the terms`
		`+ # and conditions of the GNU General Public License version 2.`
		`+ #`
		`+ # This program is distributed in the hope that it will be`
		`+ # useful, but WITHOUT ANY WARRANTY; without even the implied`
		`+ # warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR`
		`+ # PURPOSE. See the GNU General Public License for more details.`
		`+ #`
		`+ # You should have received a copy of the GNU General Public`
		`+ # License along with this program; if not, write to the Free`
		`+ # Software Foundation, Inc., 51 Franklin Street, Fifth Floor,`
		`+ # Boston, MA 02110-1301, USA.`
		`+ #`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+`
		`+ export TEST=/CoreOS/selinux-policy/Regression/policykit-general`
		`+ export TESTVERSION=1.0`
		`+`
		`+ BUILT_FILES=`
		`+`
		`+ FILES=$(METADATA) runtest.sh Makefile PURPOSE ssh.exp`
		`+`
		`+ .PHONY: all install download clean`
		`+`
		`+ run: $(FILES) build`
		`+ ./runtest.sh`
		`+`
		`+ build: $(BUILT_FILES)`
		`+ chmod a+x runtest.sh ssh.exp`
		`+ chcon -t bin_t runtest.sh ssh.exp`
		`+`
		`+ clean:`
		`+ rm -f *~ $(BUILT_FILES)`
		`+`
		`+ include /usr/share/rhts/lib/rhts-make.include`
		`+`
		`+ $(METADATA): Makefile`
		`+ @echo "Owner: Michal Trunecka <mtruneck@redhat.com>" > $(METADATA)`
		`+ @echo "Name: $(TEST)" >> $(METADATA)`
		`+ @echo "TestVersion: $(TESTVERSION)" >> $(METADATA)`
		`+ @echo "Path: $(TEST_DIR)" >> $(METADATA)`
		`+ @echo "Description: Test for BZ#962791 (SELinux is preventing /usr/lib/polkit-1/polkitd)" >> $(METADATA)`
		`+ @echo "Type: Regression" >> $(METADATA)`
		`+ @echo "TestTime: 20m" >> $(METADATA)`
		`+ @echo "RunFor: selinux-policy" >> $(METADATA)`
		`+ @echo "RunFor: polkit" >> $(METADATA)`
		`+ @echo "Requires: audit selinux-policy polkit glib2 libselinux libselinux-utils policycoreutils setools-console psmisc shadow-utils expect openssh-clients" >> $(METADATA)`
		`+ @echo "RhtsRequires: library(selinux-policy/common)" >> $(METADATA)`
		`+ @echo "Priority: Normal" >> $(METADATA)`
		`+ @echo "License: GPLv2" >> $(METADATA)`
		`+ @echo "Confidential: no" >> $(METADATA)`
		`+ @echo "Destructive: no" >> $(METADATA)`
		`+ @echo "Environment: AVC_ERROR=+no_avc_check" >> $(METADATA)`
		`+ @echo "Releases: -RHEL4 -RHEL5" >> $(METADATA)`
		`+ @echo "Bug: 960669" >> $(METADATA) # RHEL-7`
		`+ @echo "Bug: 962791" >> $(METADATA) # RHEL-7`
		`+ @echo "Bug: 965143" >> $(METADATA) # RHEL-7`
		`+ @echo "Bug: 1003799" >> $(METADATA) # RHEL-6`
		`+ @echo "Bug: 1301561" >> $(METADATA) # RHEL-6`
		`+ @echo "Bug: 1364513" >> $(METADATA) # RHEL-7`
		`+ @echo "Bug: 1574389" >> $(METADATA) # RHEL-7`
		`+ @echo "Bug: 1583082" >> $(METADATA) # RHEL-7`
		`+ @echo "Bug: 1727902" >> $(METADATA) # RHEL-8`
		`+`
		`+ rhts-lint $(METADATA)`
		`+`

selinux-policy/policykit-general/PURPOSE

file added

		`@@ -0,0 +1,5 @@`
		`+ PURPOSE of /CoreOS/selinux-policy/Regression/policykit-general`
		`+ Author: Michal Trunecka <mtruneck@redhat.com>`
		`+`
		`+ SELinux interferes with polkitd and related programs.`
		`+`

selinux-policy/policykit-general/runtest.sh

file added

+178

		`@@ -0,0 +1,178 @@`
		`+ #!/bin/bash`
		`+ # vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+ #`
		`+ # runtest.sh of /CoreOS/selinux-policy/Regression/policykit-general`
		`+ # Description: Test for BZ#962791 (SELinux is preventing /usr/lib/polkit-1/polkitd)`
		`+ # Author: Michal Trunecka <mtruneck@redhat.com>`
		`+ #`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+ #`
		`+ # Copyright (c) 2013 Red Hat, Inc. All rights reserved.`
		`+ #`
		`+ # This copyrighted material is made available to anyone wishing`
		`+ # to use, modify, copy, or redistribute it subject to the terms`
		`+ # and conditions of the GNU General Public License version 2.`
		`+ #`
		`+ # This program is distributed in the hope that it will be`
		`+ # useful, but WITHOUT ANY WARRANTY; without even the implied`
		`+ # warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR`
		`+ # PURPOSE. See the GNU General Public License for more details.`
		`+ #`
		`+ # You should have received a copy of the GNU General Public`
		`+ # License along with this program; if not, write to the Free`
		`+ # Software Foundation, Inc., 51 Franklin Street, Fifth Floor,`
		`+ # Boston, MA 02110-1301, USA.`
		`+ #`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+`
		`+ # Include Beaker environment`
		`+ . /usr/bin/rhts-environment.sh \|\| exit 1`
		`+ . /usr/share/beakerlib/beakerlib.sh \|\| exit 1`
		`+`
		`+ PACKAGE="selinux-policy"`
		`+ ROOT_PASSWORD="redhat"`
		`+ SERVICE_NAME="polkit"`
		`+ SERVICE_PACKAGE="polkit"`
		`+ PROCESS_NAME="polkitd"`
		`+ PROCESS_CONTEXT="policykit_t"`
		`+ if rlIsRHEL 6 7 ; then`
		`+ ALLOWED_USERS="staff_u user_u xguest_u sysadm_u unconfined_u"`
		`+ else`
		`+ ALLOWED_USERS="staff_u user_u guest_u xguest_u sysadm_u unconfined_u"`
		`+ fi`
		`+`
		`+ rlJournalStart`
		`+ rlPhaseStartSetup`
		`+ rlRun "rlImport 'selinux-policy/common'"`
		`+ rlSESatisfyRequires`
		`+ rlAssertRpm ${PACKAGE}`
		`+ rlAssertRpm ${PACKAGE}-targeted`
		`+ rlAssertRpm ${SERVICE_PACKAGE}`
		`+`
		`+ rlServiceStop ${SERVICE_NAME}`
		`+ rlFileBackup /etc/shadow`
		`+`
		`+ rlSESetEnforce`
		`+ rlSEStatus`
		`+ rlSESetTimestamp`
		`+ sleep 2`
		`+ rlPhaseEnd`
		`+`
		`+ rlPhaseStartTest "bz#960669 + bz#962791 + bz#965143"`
		`+ if rlIsRHEL 6 ; then`
		`+ rlSEMatchPathCon "/usr/libexec/polkit-1/polkitd" "policykit_exec_t"`
		`+ else`
		`+ rlSEMatchPathCon "/usr/lib/polkit-1/polkitd" "policykit_exec_t"`
		`+ rlSESearchRule "allow policykit_t cgroup_t : dir { open read getattr lock search ioctl }"`
		`+ fi`
		`+ rlSESearchRule "allow initrc_t policykit_exec_t : file { getattr open read execute }"`
		`+ rlSESearchRule "type_transition initrc_t policykit_exec_t : process policykit_t"`
		`+ rlSESearchRule "allow initrc_t policykit_t : process { transition }"`
		`+ rlSESearchRule "allow system_dbusd_t policykit_exec_t : file { getattr open read execute }"`
		`+ rlSESearchRule "type_transition system_dbusd_t policykit_exec_t : process policykit_t"`
		`+ rlSESearchRule "allow system_dbusd_t policykit_t : process { transition }"`
		`+ rlPhaseEnd`
		`+`
		`+ rlPhaseStartTest "bz#1003799"`
		`+ if rlIsRHEL 6 ; then`
		`+ rlSEMatchPathCon "/usr/libexec/polkit-1/polkitd" "policykit_exec_t"`
		`+ else`
		`+ rlSEMatchPathCon "/usr/lib/polkit-1/polkitd" "policykit_exec_t"`
		`+ fi`
		`+ rlSEMatchPathCon "/var/lib/sss" "sssd_var_lib_t"`
		`+ rlSEMatchPathCon "/var/lib/sss/mc" "sssd_public_t"`
		`+ rlSEMatchPathCon "/var/lib/sss/mc/passwd" "sssd_public_t"`
		`+ rlSESearchRule "allow policykit_t sssd_var_lib_t : dir { getattr open search }"`
		`+ rlSESearchRule "allow policykit_t sssd_public_t : dir { getattr open search }"`
		`+ rlSESearchRule "allow policykit_t sssd_public_t : file { getattr open read }"`
		`+ rlSESearchRule "allow policykit_t sssd_var_lib_t : sock_file { getattr open write }"`
		`+ rlSESearchRule "allow policykit_t sssd_t : unix_stream_socket { connectto }"`
		`+ rlPhaseEnd`
		`+`
		`+ if ! rlIsRHEL 5 ; then`
		`+ rlPhaseStartTest "bz#1301561"`
		`+ rlSEMatchPathCon "/usr/libexec/polkit-1/polkitd" "policykit_exec_t"`
		`+ rlSESearchRule "allow policykit_t fs_t : filesystem { getattr }"`
		`+ rlPhaseEnd`
		`+`
		`+ rlPhaseStartTest "real scenario -- DBus service"`
		`+ rlRun "killall polkitd" 0,1`
		`+ sleep 1`
		`+ DESTINATION="org.freedesktop.PolicyKit1"`
		`+ rlRun "gdbus introspect --system --object-path / --dest ${DESTINATION} >& /dev/null"`
		`+ sleep 1`
		`+ rlRun "ps -efZ \| grep -v grep \| grep ${PROCESS_NAME}"`
		`+ rlRun "ps -efZ \| grep -v grep \| grep \"${PROCESS_CONTEXT}.*${PROCESS_NAME}\""`
		`+ rlPhaseEnd`
		`+ fi`
		`+`
		`+ if ! rlIsRHEL 5 6 ; then`
		`+ rlPhaseStartTest "bz#1364513"`
		`+ rlSESearchRule "allow dhcpc_t policykit_t : dbus { send_msg }"`
		`+ rlSESearchRule "allow policykit_t dhcpc_t : dbus { send_msg }"`
		`+ rlPhaseEnd`
		`+`
		`+ rlPhaseStartTest "bz#1574389 + bz#1583082"`
		`+ rlSEMatchPathCon "/usr/bin/pkla-check-authorization" "policykit_auth_exec_t"`
		`+ rlSESearchRule "allow policykit_t policykit_auth_exec_t : file { map } [ ]"`
		`+ rlPhaseEnd`
		`+ fi`
		`+`
		`+ if ! rlIsRHEL 5 6 7 ; then`
		`+ rlPhaseStartTest "bz#1727902"`
		`+ rlSEMatchPathCon "/run/dbus" "system_dbusd_var_run_t"`
		`+ rlSEMatchPathCon "/run/dbus/system_bus_socket" "system_dbusd_var_run_t"`
		`+ rlSESearchRule "allow guest_t system_dbusd_var_run_t : dir { search } [ ]"`
		`+ rlSESearchRule "allow guest_t system_dbusd_var_run_t : sock_file { write } [ ]"`
		`+ rlSESearchRule "allow guest_t system_dbusd_t : unix_stream_socket { connectto } [ ]"`
		`+ rlSESearchRule "allow guest_t policykit_t : dbus { send_msg } [ ]"`
		`+ rlSESearchRule "allow policykit_t guest_t : dbus { send_msg } [ ]"`
		`+ rlSESearchRule "allow guest_t system_dbusd_t : dbus { send_msg } [ ]"`
		`+ rlSESearchRule "allow system_dbusd_t guest_t : dbus { send_msg } [ ]"`
		`+ rlPhaseEnd`
		`+ fi`
		`+`
		`+ if ! rlIsRHEL 5 6 ; then`
		`+ rlPhaseStartTest "real scenario -- standalone service"`
		`+ rlRun "echo ${ROOT_PASSWORD} \| passwd --stdin root"`
		`+ if ! rlSEDefined ${PROCESS_CONTEXT} ; then`
		`+ if rlIsRHEL 5 6 ; then`
		`+ PROCESS_CONTEXT="initrc_t"`
		`+ else`
		`+ PROCESS_CONTEXT="unconfined_service_t"`
		`+ fi`
		`+ fi`
		`+ rlSEService ${ROOT_PASSWORD} ${SERVICE_NAME} ${PROCESS_NAME} ${PROCESS_CONTEXT} "start status" 1`
		`+ rlRun "restorecon -Rv /run /var"`
		`+ rlSEService ${ROOT_PASSWORD} ${SERVICE_NAME} ${PROCESS_NAME} ${PROCESS_CONTEXT} "restart status stop status" 1`
		`+ rlPhaseEnd`
		`+`
		`+ rlPhaseStartTest "real scenario -- confined users"`
		`+ rlSEConfigureSSH`
		`+`
		`+ rlRun "setsebool ssh_sysadm_login on"`
		`+ for SELINUX_USER in ${ALLOWED_USERS} ; do`
		`+ USER_NAME="user${RANDOM}"`
		`+ USER_SECRET="S3kr3t${RANDOM}"`
		`+ rlRun "useradd -Z ${SELINUX_USER} ${USER_NAME}"`
		`+ rlRun "echo ${USER_SECRET} \| passwd --stdin ${USER_NAME}"`
		`+ rlRun "restorecon -Rv /home/${USER_NAME}"`
		`+ rlRun "./ssh.exp ${USER_NAME} ${USER_SECRET} localhost pkaction"`
		`+ rlRun "userdel -rfZ ${USER_NAME}"`
		`+ done`
		`+ rlRun "setsebool ssh_sysadm_login off"`
		`+ rlPhaseEnd`
		`+ fi`
		`+`
		`+ rlPhaseStartCleanup`
		`+ sleep 2`
		`+ rlSECheckAVC`
		`+`
		`+ rlFileRestore`
		`+ rlServiceRestore ${SERVICE_NAME}`
		`+ rlRun "service sshd restart"`
		`+ rlPhaseEnd`
		`+ rlJournalPrintText`
		`+ rlJournalEnd`
		`+`

selinux-policy/policykit-general/ssh.exp

file added

+20

		`@@ -0,0 +1,20 @@`
		`+ #!/usr/bin/expect -f`
		`+ # Expect script for SSH logging as $username to $hostname using $password and executing $command.`
		`+ # Usage:`
		`+ # ./ssh.exp username password hostname command`
		`+ set username [lrange $argv 0 0]`
		`+ set password [lrange $argv 1 1]`
		`+ set hostname [lrange $argv 2 2]`
		`+ set command [lrange $argv 3 10]`
		`+ set timeout 15`
		`+ # connect to remote host and execute given command`
		`+ log_user 1`
		`+ spawn ssh -t $username@$hostname "$command ; sleep 5"`
		`+ expect {`
		`+ -nocase "yes/no" { send -- "yes\r" ; exp_continue }`
		`+ -nocase "password" { send -- "$password\r" }`
		`+ }`
		`+ log_user 1`
		`+ # send -- "\r"`
		`+ expect eof`
		`+`

selinux-policy/rpmdb-and-similar/runtest.sh

file modified

		`@@ -38,6 +38,12 @@`
		`PROCESS_CONTEXT="rpmdb_t"`

		`rlJournalStart`
		`+ if rlIsRHEL '<9' ; then`
		`+ rlLog "Not applicable to this OS version."`
		`+ rlJournalEnd`
		`+ exit 0`
		`+ fi`
		`+`
		`rlLog "If this test fails, please contact mmalik or IRC #selinux"`
		`rlLog "This test should fail if tested bugs are NOT fixed yet"`
		`rlPhaseStartSetup`

selinux-policy/sslh-and-similar/Makefile

file added

+68

		`@@ -0,0 +1,68 @@`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+ #`
		`+ # Makefile of /CoreOS/selinux-policy/Regression/sslh-and-similar`
		`+ # Description: SELinux interferes with sslh and related programs`
		`+ # Author: Milos Malik <mmalik@redhat.com>`
		`+ #`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+ #`
		`+ # Copyright (c) 2021 Red Hat, Inc. All rights reserved.`
		`+ #`
		`+ # This copyrighted material is made available to anyone wishing`
		`+ # to use, modify, copy, or redistribute it subject to the terms`
		`+ # and conditions of the GNU General Public License version 2.`
		`+ #`
		`+ # This program is distributed in the hope that it will be`
		`+ # useful, but WITHOUT ANY WARRANTY; without even the implied`
		`+ # warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR`
		`+ # PURPOSE. See the GNU General Public License for more details.`
		`+ #`
		`+ # You should have received a copy of the GNU General Public`
		`+ # License along with this program; if not, write to the Free`
		`+ # Software Foundation, Inc., 51 Franklin Street, Fifth Floor,`
		`+ # Boston, MA 02110-1301, USA.`
		`+ #`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+`
		`+ export TEST=/CoreOS/selinux-policy/Regression/sslh-and-similar`
		`+ export TESTVERSION=1.0`
		`+`
		`+ BUILT_FILES=`
		`+`
		`+ FILES=$(METADATA) runtest.sh Makefile PURPOSE`
		`+`
		`+ .PHONY: all install download clean`
		`+`
		`+ run: $(FILES) build`
		`+ ./runtest.sh`
		`+`
		`+ build: $(BUILT_FILES)`
		`+ chmod a+x runtest.sh`
		`+ chcon -t bin_t runtest.sh`
		`+`
		`+ clean:`
		`+ rm -f *~ $(BUILT_FILES)`
		`+`
		`+ include /usr/share/rhts/lib/rhts-make.include`
		`+`
		`+ $(METADATA): Makefile`
		`+ @echo "Owner: Milos Malik <mmalik@redhat.com>" > $(METADATA)`
		`+ @echo "Name: $(TEST)" >> $(METADATA)`
		`+ @echo "TestVersion: $(TESTVERSION)" >> $(METADATA)`
		`+ @echo "Path: $(TEST_DIR)" >> $(METADATA)`
		`+ @echo "Description: SELinux interferes with sslh and related programs" >> $(METADATA)`
		`+ @echo "Type: Regression" >> $(METADATA)`
		`+ @echo "TestTime: 10m" >> $(METADATA)`
		`+ @echo "RunFor: selinux-policy" >> $(METADATA)`
		`+ @echo "Requires: audit libselinux libselinux-utils policycoreutils selinux-policy selinux-policy-targeted setools setools-console sslh initscripts" >> $(METADATA)`
		`+ @echo "RhtsRequires: library(selinux-policy/common)" >> $(METADATA)`
		`+ @echo "Environment: AVC_ERROR=+no_avc_check" >> $(METADATA)`
		`+ @echo "Priority: Normal" >> $(METADATA)`
		`+ @echo "License: GPLv2" >> $(METADATA)`
		`+ @echo "Confidential: no" >> $(METADATA)`
		`+ @echo "Destructive: no" >> $(METADATA)`
		`+ @echo "Releases: -RHEL4 -RHELClient5 -RHELServer5 -RHEL6" >> $(METADATA)`
		`+ @echo "Bug: 1534624" >> $(METADATA) # Fedora 27`
		`+`
		`+ rhts-lint $(METADATA)`
		`+`

selinux-policy/sslh-and-similar/PURPOSE

file added

		`@@ -0,0 +1,5 @@`
		`+ PURPOSE of /CoreOS/selinux-policy/Regression/sslh-and-similar`
		`+ Author: Milos Malik <mmalik@redhat.com>`
		`+`
		`+ SELinux interferes with sslh and related programs.`
		`+`

selinux-policy/sslh-and-similar/main.fmf

file added

		`@@ -0,0 +1,3 @@`
		`+ path: /selinux-policy/sslh-and-similar`
		`+ tier: 2`
		`+`

selinux-policy/sslh-and-similar/runtest.sh

file added

+107

		`@@ -0,0 +1,107 @@`
		`+ #!/bin/bash`
		`+ # vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+ #`
		`+ # runtest.sh of /CoreOS/selinux-policy/Regression/sslh-and-similar`
		`+ # Description: SELinux interferes with sslh and related programs`
		`+ # Author: Milos Malik <mmalik@redhat.com>`
		`+ #`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+ #`
		`+ # Copyright (c) 2021 Red Hat, Inc. All rights reserved.`
		`+ #`
		`+ # This copyrighted material is made available to anyone wishing`
		`+ # to use, modify, copy, or redistribute it subject to the terms`
		`+ # and conditions of the GNU General Public License version 2.`
		`+ #`
		`+ # This program is distributed in the hope that it will be`
		`+ # useful, but WITHOUT ANY WARRANTY; without even the implied`
		`+ # warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR`
		`+ # PURPOSE. See the GNU General Public License for more details.`
		`+ #`
		`+ # You should have received a copy of the GNU General Public`
		`+ # License along with this program; if not, write to the Free`
		`+ # Software Foundation, Inc., 51 Franklin Street, Fifth Floor,`
		`+ # Boston, MA 02110-1301, USA.`
		`+ #`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+`
		`+ # Include Beaker environment`
		`+ . /usr/bin/rhts-environment.sh \|\| exit 1`
		`+ . /usr/share/beakerlib/beakerlib.sh \|\| exit 1`
		`+`
		`+ PACKAGE="selinux-policy"`
		`+ ROOT_PASSWORD="redhat"`
		`+ FILE_PATH="/usr/sbin/sslh"`
		`+ FILE_CONTEXT="sslh_exec_t"`
		`+ SERVICE_PACKAGE="sslh"`
		`+ SERVICE_NAME="sslh"`
		`+ PROCESS_NAME="sslh"`
		`+ PROCESS_CONTEXT="sslh_t"`
		`+`
		`+ rlJournalStart`
		`+ rlPhaseStartSetup`
		`+ rlRun "rlImport 'selinux-policy/common'"`
		`+ rlSESatisfyRequires`
		`+ rlAssertRpm ${PACKAGE}`
		`+ rlAssertRpm ${PACKAGE}-targeted`
		`+ rlAssertRpm ${SERVICE_PACKAGE}`
		`+`
		`+ rlServiceStop ${SERVICE_NAME}`
		`+ rlFileBackup /etc/shadow`
		`+ rlFileBackup /etc/sslh.cfg`
		`+`
		`+ rlSESetEnforce`
		`+ rlSEStatus`
		`+ rlSESetTimestamp`
		`+ sleep 2`
		`+ rlPhaseEnd`
		`+`
		`+ if rlSEDefined ${PROCESS_CONTEXT} ; then`
		`+ rlPhaseStartTest "bz#1534624"`
		`+ rlSEMatchPathCon "${FILE_PATH}" "${FILE_CONTEXT}"`
		`+ rlSEMatchPathCon "/var/lib/sss" "sssd_var_lib_t"`
		`+ rlSEMatchPathCon "/var/lib/sss/mc" "sssd_public_t"`
		`+ rlSEMatchPathCon "/var/lib/sss/mc/passwd" "sssd_public_t"`
		`+ rlSEMatchPathCon "/var/lib/sss/pipes" "sssd_var_lib_t"`
		`+ rlSEMatchPathCon "/var/lib/sss/pipes/nss" "sssd_var_lib_t"`
		`+ if rlIsRHEL 5 ; then`
		`+ SOURCE_TYPE="initrc_t"`
		`+ BOOLEANS="[ ]"`
		`+ elif rlIsRHEL 6 ; then`
		`+ SOURCE_TYPE="initrc_t"`
		`+ else # RHEL-7 etc.`
		`+ SOURCE_TYPE="init_t" # systemd runs the process`
		`+ fi`
		`+ rlSESearchRule "allow ${SOURCE_TYPE} ${FILE_CONTEXT} : file { getattr open read execute } $BOOLEANS"`
		`+ rlSESearchRule "allow ${SOURCE_TYPE} ${PROCESS_CONTEXT} : process { transition } $BOOLEANS"`
		`+ rlSESearchRule "type_transition ${SOURCE_TYPE} ${FILE_CONTEXT} : process ${PROCESS_CONTEXT} $BOOLEANS"`
		`+ rlSESearchRule "allow sslh_t sssd_var_lib_t : dir { search }"`
		`+ rlSESearchRule "allow sslh_t sssd_public_t : file { getattr open read map }"`
		`+ rlSESearchRule "allow sslh_t sssd_var_lib_t : sock_file { write }"`
		`+ rlSESearchRule "allow sslh_t sssd_t : unix_stream_socket { connectto }"`
		`+ rlPhaseEnd`
		`+ fi`
		`+`
		`+ rlPhaseStartTest "real scenario -- standalone service"`
		`+ rlRun "echo ${ROOT_PASSWORD} \| passwd --stdin root"`
		`+ rlRun "sed -i 's/thelonious/localhost/' /etc/sslh.cfg"`
		`+ if ! rlSEDefined ${PROCESS_CONTEXT} ; then`
		`+ # RHEL-4, RHEL-5, RHEL-6 are excluded`
		`+ PROCESS_CONTEXT="unconfined_service_t"`
		`+ fi`
		`+ rlSEService ${ROOT_PASSWORD} ${SERVICE_NAME} ${PROCESS_NAME} ${PROCESS_CONTEXT} "start status" 1`
		`+ rlRun "restorecon -Rv /run /var"`
		`+ rlSEService ${ROOT_PASSWORD} ${SERVICE_NAME} ${PROCESS_NAME} ${PROCESS_CONTEXT} "restart status stop status" 1`
		`+ rlPhaseEnd`
		`+`
		`+ rlPhaseStartCleanup`
		`+ sleep 2`
		`+ rlSECheckAVC`
		`+`
		`+ rlFileRestore`
		`+ rlServiceRestore ${SERVICE_NAME}`
		`+ rlPhaseEnd`
		`+ rlJournalPrintText`
		`+ rlJournalEnd`
		`+`

selinux-policy/swap-file-and-systemd-access/Makefile

file modified

		`@@ -70,6 +70,7 @@`
		`@echo "Bug: 1912385" >> $(METADATA) # Fedora 32`
		`@echo "Bug: 1926536" >> $(METADATA) # RHEL 9`
		`@echo "Bug: 1928539" >> $(METADATA) # Fedora 32`
		`+ @echo "Bug: 1968610" >> $(METADATA) # RHEL 8`

		`rhts-lint $(METADATA)`

selinux-policy/swap-file-and-systemd-access/PURPOSE

file modified

+1 -1

		`@@ -1,5 +1,5 @@`
		`PURPOSE of /CoreOS/selinux-policy/Regression/swap-file-and-systemd-access`
		`Author: Milos Malik <mmalik@redhat.com>`

		`- SELinux interferes with systemd when accessing a swap file.`
		`+ SELinux interferes with systemd when accessing swap files or swap partitions.`

selinux-policy/swap-file-and-systemd-access/runtest.sh

file modified

		`@@ -83,6 +83,13 @@`
		`rlSESearchRule "allow systemd_sleep_t fixed_disk_device_t : blk_file { getattr } [ ]"`
		`rlPhaseEnd`

		`+ rlPhaseStartTest "bz#1968610"`
		`+ rlSEMatchPathCon "/sys/power" "sysfs_t"`
		`+ rlSEMatchPathCon "/sys/power/state" "sysfs_t"`
		`+ rlSESearchRule "allow systemd_sleep_t sysfs_t : dir { add_name write } [ ]"`
		`+ rlSESearchRule "allow systemd_sleep_t sysfs_t : file { create } [ ]"`
		`+ rlPhaseEnd`
		`+`
		`if ${REAL_SCENARIOS} ; then`
		`rlPhaseStartTest "real scenario"`
		`rlRun "rm -f /swapfile"`

selinux-policy/systemd-homed/runtest.sh

file modified

		`@@ -110,6 +110,12 @@`
		`}`

		`rlJournalStart`
		`+ if rlIsRHEL '<9' ; then`
		`+ rlLog "Not applicable to this OS version."`
		`+ rlJournalEnd`
		`+ exit 0`
		`+ fi`
		`+`
		`rlPhaseStartSetup`
		`rlRun "rlImport 'selinux-policy/common'"`
		`rlSESatisfyRequires`

selinux-policy/systemd-modules-load-and-similar/runtest.sh

file modified

+17

		`@@ -99,6 +99,12 @@`
		`rlSESearchRule "allow systemd_modules_load_t bin_t : file { execute execute_no_trans map } [ ]"`
		`rlPhaseEnd`

		`+ rlPhaseStartTest "bz#1819161 + bz#1824196 + bz#1829700 + bz#1833502 + bz#1838933"`
		`+ rlSEMatchPathCon "/sys/firmware/efi" "efivarfs_t"`
		`+ rlSESearchRule "allow systemd_modules_load_t efivarfs_t : file { getattr open read } [ ]"`
		`+ rlSESearchRule "allow systemd_resolved_t efivarfs_t : file { getattr open read } [ ]"`
		`+ rlPhaseEnd`
		`+`
		`rlPhaseStartTest "real scenario -- standalone service"`
		`rlRun "echo ${ROOT_PASSWORD} \| passwd --stdin root"`
		`rlRun "echo ${KERNEL_MODULE} > /etc/modules-load.d/${KERNEL_MODULE}.conf"`
		`@@ -111,6 +117,17 @@`
		`rlRun "rm -f /etc/modules-load.d/${KERNEL_MODULE}.conf"`
		`rlPhaseEnd`

		`+ rlPhaseStartTest "bz#1942267"`
		`+ tst_Time="$(date '+%T')"`
		`+ # Install kernel-module matching the running kernel version`
		`+ rlRun "dnf -y install kernel-modules-$(uname -r)"`
		`+ rlRun "systemctl start rdma-load-modules@rdma.service"`
		`+ rlRun "systemctl status rdma-load-modules@rdma.service"`
		`+ rlRun "lsmod \| grep rdma"`
		`+ rlRun "ausearch -m AVC -m USER_AVC --start $tst_Time" 1`
		`+ rlRun "systemctl stop rdma-load-modules@rdma.service"`
		`+ rlPhaseEnd`
		`+`
		`rlPhaseStartCleanup`
		`sleep 2`
		`rlSECheckAVC`

selinux-policy/systemd-timesyncd-and-similar/Makefile

file modified

		`@@ -73,6 +73,7 @@`
		`@echo "Bug: 1694272" >> $(METADATA) # Fedora 29`
		`@echo "Bug: 1822131" >> $(METADATA) # Fedora 32`
		`@echo "Bug: 1869979" >> $(METADATA) # RHEL-8`
		`+ @echo "Bug: 1949315" >> $(METADATA) # Fedora 34`

		`rhts-lint $(METADATA)`

selinux-policy/systemd-timesyncd-and-similar/runtest.sh

file modified

		`@@ -102,6 +102,14 @@`
		`rlSESearchRule "allow systemd_timedated_t efivarfs_t : file { getattr open read } [ ]"`
		`rlPhaseEnd`

		`+ rlPhaseStartTest "bz#1949315"`
		`+ rlSEMatchPathCon "/" "root_t"`
		`+ rlSEMatchPathCon "/run" "var_run_t"`
		`+ rlSESearchRule "allow systemd_timedated_t root_t : dir { watch } [ ]"`
		`+ rlSESearchRule "allow systemd_timedated_t var_run_t : dir { watch } [ ]"`
		`+ rlPhaseEnd`
		`+`
		`+ if systemctl list-units \| grep -q ${SERVICE_NAME} ; then`
		`rlPhaseStartTest "real scenario -- standalone service"`
		`rlRun "echo ${ROOT_PASSWORD} \| passwd --stdin root"`
		`if ! rlSEDefined ${PROCESS_CONTEXT} ; then`
		`@@ -111,6 +119,7 @@`
		`rlRun "restorecon -Rv /run /var" 0-255`
		`rlSEService ${ROOT_PASSWORD} ${SERVICE_NAME} ${PROCESS_NAME} ${PROCESS_CONTEXT} "restart status stop status" 1`
		`rlPhaseEnd`
		`+ fi`

		`rlPhaseStartCleanup`
		`sleep 2`

selinux-policy/systemd-userdbd-and-similar/runtest.sh

file modified

		`@@ -82,6 +82,8 @@`
		`fi`

		`rlPhaseStartTest "real scenario -- confined users"`
		`+ rlSEConfigureSSH`
		`+`
		`rlRun "setsebool ssh_sysadm_login on"`
		`rlRun "setsebool selinuxuser_tcp_server on"`
		`rlLog "configuration says not to test SELinux users: ${DENIED_USERS}"`
		`@@ -126,6 +128,7 @@`

		`rlFileRestore`
		`rlServiceRestore ${SERVICE_NAME}`
		`+ rlRun "service sshd restart"`
		`rlPhaseEnd`
		`rlJournalPrintText`
		`rlJournalEnd`

selinux-policy/tlp-and-similar/runtest.sh

file modified

		`@@ -40,6 +40,12 @@`
		`PROCESS_CONTEXT="tlp_t"`

		`rlJournalStart`
		`+ if ! rlIsRHEL 7 8 && ! rlIsFedora ; then`
		`+ rlLog "Not applicable to this OS version."`
		`+ rlJournalEnd`
		`+ exit 0`
		`+ fi`
		`+`
		`rlPhaseStartSetup`
		`rlRun "rlImport 'selinux-policy/common'"`
		`rlSESatisfyRequires`

selinux-policy/usbmuxd-and-similar/Makefile

file added

+73

		`@@ -0,0 +1,73 @@`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+ #`
		`+ # Makefile of /CoreOS/selinux-policy/Regression/usbmuxd-and-similar`
		`+ # Description: SELinux interferes with usbmuxd and related programs`
		`+ # Author: Milos Malik <mmalik@redhat.com>`
		`+ #`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+ #`
		`+ # Copyright (c) 2012 Red Hat, Inc. All rights reserved.`
		`+ #`
		`+ # This copyrighted material is made available to anyone wishing`
		`+ # to use, modify, copy, or redistribute it subject to the terms`
		`+ # and conditions of the GNU General Public License version 2.`
		`+ #`
		`+ # This program is distributed in the hope that it will be`
		`+ # useful, but WITHOUT ANY WARRANTY; without even the implied`
		`+ # warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR`
		`+ # PURPOSE. See the GNU General Public License for more details.`
		`+ #`
		`+ # You should have received a copy of the GNU General Public`
		`+ # License along with this program; if not, write to the Free`
		`+ # Software Foundation, Inc., 51 Franklin Street, Fifth Floor,`
		`+ # Boston, MA 02110-1301, USA.`
		`+ #`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+`
		`+ export TEST=/CoreOS/selinux-policy/Regression/usbmuxd-and-similar`
		`+ export TESTVERSION=1.0`
		`+`
		`+ BUILT_FILES=`
		`+`
		`+ FILES=$(METADATA) runtest.sh Makefile PURPOSE`
		`+`
		`+ .PHONY: all install download clean`
		`+`
		`+ run: $(FILES) build`
		`+ ./runtest.sh`
		`+`
		`+ build: $(BUILT_FILES)`
		`+ chmod a+x runtest.sh`
		`+ chcon -t bin_t runtest.sh`
		`+`
		`+ clean:`
		`+ rm -f *~ $(BUILT_FILES)`
		`+`
		`+ include /usr/share/rhts/lib/rhts-make.include`
		`+`
		`+ $(METADATA): Makefile`
		`+ @echo "Owner: Milos Malik <mmalik@redhat.com>" > $(METADATA)`
		`+ @echo "Name: $(TEST)" >> $(METADATA)`
		`+ @echo "TestVersion: $(TESTVERSION)" >> $(METADATA)`
		`+ @echo "Path: $(TEST_DIR)" >> $(METADATA)`
		`+ @echo "Description: SELinux interferes with usbmuxd and related programs" >> $(METADATA)`
		`+ @echo "Type: Regression" >> $(METADATA)`
		`+ @echo "TestTime: 15m" >> $(METADATA)`
		`+ @echo "RunFor: selinux-policy" >> $(METADATA)`
		`+ @echo "RunFor: usbmuxd" >> $(METADATA)`
		`+ @echo "Requires: audit libselinux libselinux-utils policycoreutils selinux-policy selinux-policy-targeted setools-console usbmuxd initscripts" >> $(METADATA)`
		`+ @echo "RhtsRequires: library(selinux-policy/common)" >> $(METADATA)`
		`+ @echo "Priority: Normal" >> $(METADATA)`
		`+ @echo "License: GPLv2" >> $(METADATA)`
		`+ @echo "Confidential: no" >> $(METADATA)`
		`+ @echo "Destructive: no" >> $(METADATA)`
		`+ @echo "Environment: AVC_ERROR=+no_avc_check" >> $(METADATA)`
		`+ @echo "Releases: -RHEL4 -RHEL5 -RHEL6" >> $(METADATA)`
		`+ @echo "Bug: 1521054" >> $(METADATA) # RHEL-7`
		`+ @echo "Bug: 1582205" >> $(METADATA) # RHEL-7`
		`+ @echo "Bug: 1930992" >> $(METADATA) # Fedora 33`
		`+ @echo "Bug: 1936705" >> $(METADATA) # Fedora 34`
		`+ @echo "Bug: 1959747" >> $(METADATA) # Fedora 35`
		`+`
		`+ rhts-lint $(METADATA)`
		`+`

selinux-policy/usbmuxd-and-similar/PURPOSE

file added

		`@@ -0,0 +1,5 @@`
		`+ PURPOSE of /CoreOS/selinux-policy/Regression/usbmuxd-and-similar`
		`+ Author: Milos Malik <mmalik@redhat.com>`
		`+`
		`+ SELinux interferes with usbmuxd and related programs.`
		`+`

selinux-policy/usbmuxd-and-similar/main.fmf

file added

		`@@ -0,0 +1,2 @@`
		`+ path: /selinux-policy/usbmuxd-and-similar`
		`+ tier: 2`

selinux-policy/usbmuxd-and-similar/runtest.sh

file added

+114

		`@@ -0,0 +1,114 @@`
		`+ #!/bin/bash`
		`+ # vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+ #`
		`+ # runtest.sh of /CoreOS/selinux-policy/Regression/usbmuxd-and-similar`
		`+ # Description: SELinux interferes with usbmuxd and related programs`
		`+ # Author: Milos Malik <mmalik@redhat.com>`
		`+ #`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+ #`
		`+ # Copyright (c) 2012 Red Hat, Inc. All rights reserved.`
		`+ #`
		`+ # This copyrighted material is made available to anyone wishing`
		`+ # to use, modify, copy, or redistribute it subject to the terms`
		`+ # and conditions of the GNU General Public License version 2.`
		`+ #`
		`+ # This program is distributed in the hope that it will be`
		`+ # useful, but WITHOUT ANY WARRANTY; without even the implied`
		`+ # warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR`
		`+ # PURPOSE. See the GNU General Public License for more details.`
		`+ #`
		`+ # You should have received a copy of the GNU General Public`
		`+ # License along with this program; if not, write to the Free`
		`+ # Software Foundation, Inc., 51 Franklin Street, Fifth Floor,`
		`+ # Boston, MA 02110-1301, USA.`
		`+ #`
		`+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
		`+`
		`+ # Include Beaker environment`
		`+ . /usr/bin/rhts-environment.sh \|\| exit 1`
		`+ . /usr/share/beakerlib/beakerlib.sh \|\| exit 1`
		`+`
		`+ PACKAGE="selinux-policy"`
		`+ ROOT_PASSWORD="redhat"`
		`+ FILE_PATH="/usr/sbin/usbmuxd"`
		`+ FILE_CONTEXT="usbmuxd_exec_t"`
		`+ SERVICE_PACKAGE="usbmuxd"`
		`+ SERVICE_NAME="usbmuxd"`
		`+ PROCESS_NAME="usbmuxd"`
		`+ PROCESS_CONTEXT="usbmuxd_t"`
		`+`
		`+ rlJournalStart`
		`+ rlPhaseStartSetup`
		`+ rlRun "rlImport 'selinux-policy/common'"`
		`+ rlSESatisfyRequires`
		`+ rlAssertRpm ${PACKAGE}`
		`+ rlAssertRpm ${PACKAGE}-targeted`
		`+ rlAssertRpm ${SERVICE_PACKAGE}`
		`+`
		`+ rlServiceStop ${SERVICE_NAME}`
		`+ rlFileBackup /etc/shadow`
		`+`
		`+ rlSESetEnforce`
		`+ rlSEStatus`
		`+ rlSESetTimestamp`
		`+ sleep 2`
		`+ rlPhaseEnd`
		`+`
		`+ rlPhaseStartTest "bz#1521054 + bz#1582205"`
		`+ if rlIsRHEL 5 ; then`
		`+ SOURCE_TYPE="initrc_t"`
		`+ BOOLEANS="[ ]"`
		`+ elif rlIsRHEL 6 ; then`
		`+ SOURCE_TYPE="initrc_t"`
		`+ else # RHEL-7 etc.`
		`+ SOURCE_TYPE="init_t" # systemd runs the process`
		`+ fi`
		`+ rlSEMatchPathCon "${FILE_PATH}" "${FILE_CONTEXT}"`
		`+ rlSEMatchPathCon "/run/udev/data" "udev_var_run_t"`
		`+ rlSEMatchPathCon "/run/udev/data/c189:0" "udev_var_run_t"`
		`+ rlSESearchRule "allow ${SOURCE_TYPE} ${FILE_CONTEXT} : file { getattr open read execute }"`
		`+ rlSESearchRule "allow ${SOURCE_TYPE} ${PROCESS_CONTEXT} : process { transition } ${BOOLEANS}"`
		`+ rlSESearchRule "type_transition ${SOURCE_TYPE} ${FILE_CONTEXT} : process ${PROCESS_CONTEXT} ${BOOLEANS}"`
		`+ rlSESearchRule "allow usbmuxd_t udev_var_run_t : dir { getattr open search } [ ]"`
		`+ rlSESearchRule "allow usbmuxd_t udev_var_run_t : file { getattr open read } [ ]"`
		`+ rlPhaseEnd`
		`+`
		`+ rlPhaseStartTest "bz#1930992"`
		`+ rlSEMatchPathCon "/sys" "sysfs_t"`
		`+ rlSESearchRule "allow usbmuxd_t sysfs_t : filesystem { getattr } [ ]"`
		`+ rlPhaseEnd`
		`+`
		`+ rlPhaseStartTest "bz#1936705"`
		`+ rlSEMatchPathCon "/sys/fs/cgroup" "cgroup_t"`
		`+ rlSESearchRule "allow usbmuxd_t cgroup_t : filesystem { getattr } [ ]"`
		`+ rlPhaseEnd`
		`+`
		`+ rlPhaseStartTest "bz#1959747"`
		`+ rlRun "ls -dZ /proc/1 \| grep :init_t"`
		`+ rlRun "ls -Z /proc/1/environ \| grep :init_t"`
		`+ rlSESearchRule "dontaudit usbmuxd_t init_t : dir { search } [ ]"`
		`+ rlSESearchRule "dontaudit usbmuxd_t init_t : file { getattr open read ioctl } [ ]"`
		`+ rlPhaseEnd`
		`+`
		`+ rlPhaseStartTest "real scenario"`
		`+ rlRun "echo ${ROOT_PASSWORD} \| passwd --stdin root"`
		`+ if ! rlSEDefined ${PROCESS_CONTEXT} ; then`
		`+ PROCESS_CONTEXT="unconfined_service_t"`
		`+ fi`
		`+ rlSEService ${ROOT_PASSWORD} ${SERVICE_NAME} ${PROCESS_NAME} ${PROCESS_CONTEXT} "start status" 1`
		`+ rlRun "restorecon -Rv /var /run"`
		`+ rlSEService ${ROOT_PASSWORD} ${SERVICE_NAME} ${PROCESS_NAME} ${PROCESS_CONTEXT} "restart status stop status" 1`
		`+ rlPhaseEnd`
		`+`
		`+ rlPhaseStartCleanup`
		`+ sleep 2`
		`+ rlSECheckAVC`
		`+`
		`+ rlFileRestore`
		`+ rlServiceRestore ${SERVICE_NAME}`
		`+ rlPhaseEnd`
		`+ rlJournalPrintText`
		`+ rlJournalEnd`
		`+`

apeetham commented 3 years ago

Add an rdma test case to selinux-policy test suite which verifies
bug1942267. The fix checks for avc generated by rdma service.

Signed-off-by: Amith Kumar apeetham@redhat.com

rebased onto dd688310d1b10569594af9977bc162aa35e24c31

3 years ago

mmalik commented 3 years ago

The changes look good to me, but the web UI indicates some kind of conflict (Merge button is red).

omos commented on line 6 of selinux-policy/systemd-modules-load-and-similar/Makefile 3 years ago

Adding kernel-rt to Requires doesn't automatically mean that the RT kernel will be running during the test (that would be more complicated to achieve). So it is either unnecessary or won't work as intended.

omos commented on line 9 of selinux-policy/systemd-modules-load-and-similar/runtest.sh 3 years ago

(nit) The above 4 lines should be indented by four more spaces.

rebased onto 5d66cb5fa4d3bef9d55c9d27be09974af2b70813

3 years ago

apeetham commented 3 years ago

Adding kernel-rt to Requires doesn't automatically mean that the RT kernel will be running during the test (that would be more complicated to achieve). So it is either unnecessary or won't work as intended.

I agree. I retested this Fedora-34 and couldn't find kernel-rt package.

apeetham commented 3 years ago

@mmalik , @omos , I have made changes based on your review. Let me know, whether the current version of code looks good or not.

omos commented 3 years ago

Note that the test also needs the kernel-modules package matching the running kernel version to be installed, which is not true by default for Fedora Cloud images (used e.g. by Fedora CI). However, this is tricky, because you'd need to do something like yum install kernel-modules-$(uname -r), and also this might sometimes not work if that particular version of the package is no longer in the repos (see e.g. https://pagure.io/fedora-ci/general/issue/162). So this boils down to how resilient/portable/simple you want this test to be...

Another suggestion: it would be nice to add also systemctl status ... call after systemctl start to see if there were any errors. Or maybe you could just use rlServiceStart, which AFAIK does just that.

Finally, you need to also rebase the branch on top of the current main branch, as there are apparently some conflicts.

rebased onto ba7eac1

2 years ago

apeetham commented 2 years ago

@mmalik , based on comments from omos, i have amended the patch. The latest changes include installation of kernel-modules with $(uname -r) of system. I don't have a simple solution for the other situation when relevant version of kernel-modules package is unavailable in repos.

Also added a line to check the status of rdma-load-modules service after it is started. rlServiceStart is not giving me the required results as "It checks the status first and then start/stop the service". We are looking for the status after the service is started.

38 new commits added

Don't run lockdown-class test on RHEL-8.x
policycoreutils/setfiles_binary: fix yaml formatting
policycoretuils: add new test for setfiles with binary policy
correct policy rule checks related to /sys/power/state
test if systemd-sleep can create new file in /sys/power directory
skip the real scenario if the service is missing
add new test which uses pam_limits and nonewprivs
kernel/selinux-testsuite: update metadata to better match TCMS
configure sshd to allow password auth for users
Remove all references to anon_inodefs_t
test if fapolicyd can watch* various mount points
add the accounts-daemon test to upstream repo
add the cups-lpd test to upstream repo
add the acpid test to upstream repo
add the policykit test to upstream repo
add the sslh test to upstream repo
add the cups-browsed test to upstream repo
add the pcscd test to upstream repo
test if usbmuxd can access /proc/1/environ file
test if usbmuxd can call statfs on /sys/fs/cgroup filesystem
test if usbmuxd can call statfs on /sys filesystem
skip the policy which is not installed
test if unconfined process can lockdown kernel for integrity purposes
add new test which covers the lockdown class
add the usbmuxd test to upstream repo
kernel/selinux-testsuite: fix condition for skipping the keys subtest
kernel/selinux-testsuite: update the XFS quota bug workaround
kernel/selinux-testsuite: move keys test exclude under RHEL-8
kernel/selinux-testsuite: Bump upstream commit
kernel/avc_tracepoint: disable restraint's AVC check
kernel/selinux-testsuite: Bump upstream commit
Add a basic test for SELinux AVC tracepoint
test if systemd-timesyncd can watch the / directory
Add a minimal test for the recent setsebool kernel regression
exit from irrelevant tests quickly
libsepol-sanity: Add test for bug1838257
kernel/netlabel_many_ifaces: fix relevancy for RHEL
test if systemd-modules-load can read files under /sys/firmware/efi

2 years ago

apeetham commented 2 years ago

I am closing this PR as this branch is messed up due to conflicts and rebase. I couldn't fix it so i have created a new PR https://src.fedoraproject.org/tests/selinux/pull-request/234 for the same issue.

Pull-Request has been closed by apeetham

2 years ago