From 4fc595beabb48f5c2776d398f257f83e8e6dc116 Mon Sep 17 00:00:00 2001
From: Milos Malik <mmalik@redhat.com>
Date: Jun 20 2023 16:46:28 +0000
Subject: test if the kernel_generic_helper_t policy works fine


TBA later

The TC covers BZ#2166228.

---

diff --git a/selinux-policy/kernel-generic-helper/main.fmf b/selinux-policy/kernel-generic-helper/main.fmf
new file mode 100644
index 0000000..78d3207
--- /dev/null
+++ b/selinux-policy/kernel-generic-helper/main.fmf
@@ -0,0 +1,35 @@
+summary: test if the kernel_generic_helper_t policy works fine
+contact: Milos Malik <mmalik@redhat.com>
+framework: beakerlib
+component:
+  - selinux-policy
+require:
+  - library(selinux-policy/common)
+recommend:
+  - audit
+  - libselinux
+  - libselinux-utils
+  - policycoreutils
+  - selinux-policy
+  - selinux-policy-targeted
+  - setools-console
+  - keyutils
+  - nfs-utils
+  - /usr/sbin/service
+environment:
+    AVC_ERROR: +no_avc_check
+duration: 15m
+enabled: true
+tag:
+  - NoRHEL4
+  - NoRHEL5
+  - NoRHEL6
+  - NoRHEL7
+  - NoRHEL8
+  - targeted
+link:
+  - verifies: https://bugzilla.redhat.com/show_bug.cgi?id=2166228
+adjust:
+  - enabled: false
+    when: distro == rhel-4, rhel-5, rhel-6, rhel-7, rhel-8
+    because: the kernel_generic_helper_t is not defined there
diff --git a/selinux-policy/kernel-generic-helper/runtest.sh b/selinux-policy/kernel-generic-helper/runtest.sh
new file mode 100755
index 0000000..20a9f00
--- /dev/null
+++ b/selinux-policy/kernel-generic-helper/runtest.sh
@@ -0,0 +1,55 @@
+#!/bin/bash
+# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+. /usr/share/beakerlib/beakerlib.sh || exit 1
+
+rlJournalStart
+    rlPhaseStartSetup
+        rlRun "rlImport 'selinux-policy/common'"
+        rlAssertRpm keyutils
+        rlAssertRpm nfs-utils
+        rlAssertRpm selinux-policy
+
+        rlSESetEnforce
+        rlSEStatus
+        rlSESetTimestamp
+        sleep 2
+    rlPhaseEnd
+
+    rlPhaseStartTest "bz#2166228"
+        rlSEMatchPathCon "/usr/sbin/request-key" "bin_t"
+        rlSESearchRule "allow kernel_t bin_t : file { execute } [ ]"
+        rlSESearchRule "type_transition kernel_t bin_t : process kernel_generic_helper_t"
+        rlSESearchRule "allow kernel_t usr_t : file { execute } [ ]"
+        rlSESearchRule "type_transition kernel_t usr_t : process kernel_generic_helper_t"
+        rlSESearchRule "allow kernel_t kernel_generic_helper_t : process { transition } [ ]"
+        rlSESearchRule "allow kernel_generic_helper_t kernel_t : key { read view } [ ]"
+        rlSESearchRule "allow kernel_generic_helper_t kernel_generic_helper_t : unix_dgram_socket { create } [ ]"
+    rlPhaseEnd
+
+    rlPhaseStartTest "real scenario"
+        DIRECT_MOUNT_POINT="/mnt/direct${RANDOM}"
+        NFS_MOUNT_POINT="/mnt/nfs${RANDOM}"
+        rlRun "service rpcbind start"
+        rlRun "service nfs-idmapd start"
+        rlRun "mkdir ${DIRECT_MOUNT_POINT}"
+        rlRun "exportfs -v localhost:${DIRECT_MOUNT_POINT}"
+        rlRun "exportfs"
+        rlRun "mkdir ${NFS_MOUNT_POINT}"
+        rlRun "mount -t nfs4 localhost:${DIRECT_MOUNT_POINT} ${NFS_MOUNT_POINT}"
+        rlRun "mount | grep ${NFS_MOUNT_POINT}"
+        rlRun "systemctl daemon-reload"
+        sleep 2
+        rlRun "umount ${NFS_MOUNT_POINT}"
+        rlRun "rmdir ${NFS_MOUNT_POINT}"
+        rlRun "exportfs -u localhost:${DIRECT_MOUNT_POINT}"
+        rlRun "rmdir ${DIRECT_MOUNT_POINT}"
+        rlRun "service rpcbind stop"
+        rlRun "service nfs-idmapd stop"
+    rlPhaseEnd
+
+    rlPhaseStartCleanup
+        sleep 2
+        rlSECheckAVC
+    rlPhaseEnd
+rlJournalEnd
+