From 5389b5acb3f61e4f1c39af4f74cb1cb4564ca49c Mon Sep 17 00:00:00 2001 From: Milos Malik Date: Mar 18 2024 16:09:16 +0000 Subject: test if plymouthd can access /dev/kmsg Recent testing revealed that SELinux prevents the plymouthd processes from accessing the /dev/kmsg device. The TC reproduces the situation. In order to support the expected plymouthd functionality, I believe that SELinux policy should allow the access. The TC looks for appropriate policy rules and file context patterns. The TC covers BZ#2256442. --- diff --git a/selinux-policy/bz538089-plymouth-operations-denied-during-boot/Makefile b/selinux-policy/bz538089-plymouth-operations-denied-during-boot/Makefile new file mode 100644 index 0000000..ed51edc --- /dev/null +++ b/selinux-policy/bz538089-plymouth-operations-denied-during-boot/Makefile @@ -0,0 +1,88 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/selinux-policy/Regression/bz538089-plymouth-operations-denied-during-boot +# Description: some plymouth operations are denied during boot because of SELinux +# Author: Milos Malik +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2009 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/selinux-policy/Regression/bz538089-plymouth-operations-denied-during-boot +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + chmod a+x runtest.sh + chcon -t bin_t runtest.sh + +clean: + rm -f *~ $(BUILT_FILES) + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Milos Malik " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: some plymouth operations are denied during boot because of SELinux" >> $(METADATA) + @echo "Type: Regression" >> $(METADATA) + @echo "TestTime: 30m" >> $(METADATA) + @echo "RunFor: selinux-policy" >> $(METADATA) + @echo "Requires: audit" >> $(METADATA) + @echo "Requires: /usr/sbin/service" >> $(METADATA) + @echo "Requires: libselinux" >> $(METADATA) + @echo "Requires: libselinux-utils" >> $(METADATA) + @echo "Requires: plymouth" >> $(METADATA) + @echo "Requires: policycoreutils" >> $(METADATA) + @echo "Requires: selinux-policy" >> $(METADATA) + @echo "Requires: selinux-policy-targeted" >> $(METADATA) + @echo "Requires: setools-console" >> $(METADATA) + @echo "RhtsRequires: library(selinux-policy/common)" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + @echo "Environment: AVC_ERROR=+no_avc_check" >> $(METADATA) + @echo "Releases: -RHEL4 -RHELServer5 -RHELClient5" >> $(METADATA) + @echo "Bug: 538089" >> $(METADATA) # RHEL-6 + @echo "Bug: 560611" >> $(METADATA) # RHEL-6 + @echo "Bug: 904016" >> $(METADATA) # RHEL-7 + @echo "Bug: 1045382" >> $(METADATA) # RHEL-7 + @echo "Bug: 1131195" >> $(METADATA) # RHEL-6 + @echo "Bug: 1160196" >> $(METADATA) # RHEL-7 + @echo "Bug: 1202429" >> $(METADATA) # Fedora 21 + @echo "Bug: 1517405" >> $(METADATA) # Fedora 27 + @echo "Bug: 1664143" >> $(METADATA) # Fedora 29 + @echo "Bug: 1869814" >> $(METADATA) # RHEL-8 + @echo "Bug: 1871307" >> $(METADATA) # RHEL-8 + @echo "Bug: 2184803" >> $(METADATA) # RHEL-9 + @echo "Bug: 2256442" >> $(METADATA) # Fedora 40 + + rhts-lint $(METADATA) + diff --git a/selinux-policy/bz538089-plymouth-operations-denied-during-boot/PURPOSE b/selinux-policy/bz538089-plymouth-operations-denied-during-boot/PURPOSE new file mode 100644 index 0000000..e16c39f --- /dev/null +++ b/selinux-policy/bz538089-plymouth-operations-denied-during-boot/PURPOSE @@ -0,0 +1,5 @@ +PURPOSE of /CoreOS/selinux-policy/Regression/bz538089-plymouth-operations-denied-during-boot +Author: Milos Malik + +SELinux interferes with plymouth / plymouthd and related programs. + diff --git a/selinux-policy/bz538089-plymouth-operations-denied-during-boot/main.fmf b/selinux-policy/bz538089-plymouth-operations-denied-during-boot/main.fmf new file mode 100644 index 0000000..7aa34c3 --- /dev/null +++ b/selinux-policy/bz538089-plymouth-operations-denied-during-boot/main.fmf @@ -0,0 +1,55 @@ +summary: some plymouth operations are denied during boot because of SELinux +description: |+ + SELinux interferes with plymouth / plymouthd and related programs. + +contact: Milos Malik +component: + - selinux-policy +test: ./runtest.sh +framework: beakerlib +require: + - library(selinux-policy/common) +recommend: + - audit + - /usr/sbin/service + - libselinux + - libselinux-utils + - plymouth + - policycoreutils + - selinux-policy + - selinux-policy-targeted + - setools-console +environment: + AVC_ERROR: +no_avc_check +duration: 30m +enabled: true +tag: + - kernel-rt + - NoRHEL4 + - NoRHEL5 + - TIPpass_Security + - TierCandidatesPASS + - f32friendly + - f33friendly + - targeted +link: + - relates: https://bugzilla.redhat.com/show_bug.cgi?id=538089 + - relates: https://bugzilla.redhat.com/show_bug.cgi?id=560611 + - relates: https://bugzilla.redhat.com/show_bug.cgi?id=904016 + - relates: https://bugzilla.redhat.com/show_bug.cgi?id=1045382 + - relates: https://bugzilla.redhat.com/show_bug.cgi?id=1131195 + - relates: https://bugzilla.redhat.com/show_bug.cgi?id=1160196 + - relates: https://bugzilla.redhat.com/show_bug.cgi?id=1202429 + - relates: https://bugzilla.redhat.com/show_bug.cgi?id=1517405 + - relates: https://bugzilla.redhat.com/show_bug.cgi?id=1664143 + - relates: https://bugzilla.redhat.com/show_bug.cgi?id=1869814 + - relates: https://bugzilla.redhat.com/show_bug.cgi?id=1871307 + - verifies: https://bugzilla.redhat.com/show_bug.cgi?id=2184803 + - verifies: https://bugzilla.redhat.com/show_bug.cgi?id=2256442 +adjust: + - enabled: false + when: distro == rhel-4, rhel-5 + continue: false +extra-nitrate: TC#0057474 +extra-summary: /CoreOS/selinux-policy/Regression/bz538089-plymouth-operations-denied-during-boot +extra-task: /CoreOS/selinux-policy/Regression/bz538089-plymouth-operations-denied-during-boot diff --git a/selinux-policy/bz538089-plymouth-operations-denied-during-boot/runtest.sh b/selinux-policy/bz538089-plymouth-operations-denied-during-boot/runtest.sh new file mode 100755 index 0000000..5b11531 --- /dev/null +++ b/selinux-policy/bz538089-plymouth-operations-denied-during-boot/runtest.sh @@ -0,0 +1,184 @@ +#!/bin/bash +# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/selinux-policy/Regression/bz538089-plymouth-operations-denied-during-boot +# Description: some plymouth operations are denied during boot because of SELinux +# Author: Milos Malik +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2009 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include rhts environment +. /usr/share/beakerlib/beakerlib.sh + +PACKAGE="selinux-policy" +ROOT_PASSWORD="redhat" +FILE_PATH="/usr/sbin/plymouthd" +FILE_CONTEXT="plymouthd_exec_t" +SERVICE_PACKAGE="plymouth" +SERVICE_NAME="plymouth-start" +PROCESS_NAME="plymouthd" +PROCESS_CONTEXT="plymouthd_t" + +rlJournalStart + rlPhaseStartSetup + rlRun "rlImport 'selinux-policy/common'" + rlSESatisfyRequires + rlAssertRpm ${PACKAGE} + rlAssertRpm ${PACKAGE}-targeted + rlAssertRpm ${SERVICE_PACKAGE} + + rlServiceStop ${SERVICE_NAME} + rlFileBackup /etc/shadow + + rlSESetEnforce + rlSEStatus + rlSESetTimestamp + sleep 2 + rlPhaseEnd + + rlPhaseStartTest "bz#538089" + rlSEMatchPathCon "/bin/plymouth" "plymouth_exec_t" + rlSEMatchPathCon "/sbin/cryptsetup" "lvm_exec_t" + rlSEMatchPathCon "/dev/mapper/control" "lvm_control_t" + rlRun "ls -Z /proc/devices | grep :proc_t" + rlSESearchRule "allow plymouth_t lvm_exec_t : file { getattr open read execute }" + rlSESearchRule "type_transition plymouth_t lvm_exec_t : process lvm_t" + rlSESearchRule "allow plymouth_t lvm_t : process { transition }" + rlSESearchRule "allow lvm_t lvm_t : capability { ipc_lock }" + rlSESearchRule "allow lvm_t proc_t : file { getattr open read }" + rlSESearchRule "allow lvm_t lvm_control_t : chr_file { getattr open read write }" + rlPhaseEnd + + rlPhaseStartTest "bz#560611" + rlSEMatchPathCon "/bin/plymouth" "plymouth_exec_t" + rlRun "ls -Z /proc/cmdline | grep :proc_t" + rlSESearchRule "allow plymouth_t proc_t : file { getattr open read }" + rlPhaseEnd + + if ! rlIsRHEL 5 6 ; then + rlPhaseStartTest "bz#904016" + rlSEMatchPathCon "/usr/sbin/plymouthd" "plymouthd_exec_t" + rlSEMatchPathCon "/var/log/boot.log" "plymouthd_var_log_t" + # when plymouthd runs as plymouthd_t + rlSESearchRule "allow plymouthd_t var_log_t : dir { write add_name }" + rlSESearchRule "type_transition plymouthd_t var_log_t : file plymouthd_var_log_t" + rlSESearchRule "allow plymouthd_t plymouthd_var_log_t : file { create }" + # when plymouthd runs as kernel_t + rlSESearchRule "allow kernel_t var_log_t : dir { write add_name }" + rlRun "sesearch -s kernel_t -t var_log_t -c file -T | grep 'plymouthd_var_log_t.*boot.log'" + rlSESearchRule "allow kernel_t plymouthd_var_log_t : file { create }" + rlPhaseEnd + + rlPhaseStartTest "bz#1045382" + rlSEMatchPathCon "/usr/sbin/plymouthd" "plymouthd_exec_t" + rlSEMatchPathCon "/var/run/udev" "udev_var_run_t" + rlSEMatchPathCon "/var/run/udev/queue.bin" "udev_var_run_t" + rlSESearchRule "allow plymouthd_t plymouthd_t : netlink_kobject_uevent_socket { create setopt bind getattr }" + rlSESearchRule "allow plymouthd_t udev_var_run_t : dir { search }" + rlSESearchRule "allow plymouthd_t udev_var_run_t : file { getattr open read }" + rlPhaseEnd + + rlPhaseStartTest "bz#1160196" + rlSEMatchPathCon "/usr/sbin/plymouthd" "plymouthd_exec_t" + rlSEMatchPathCon "/var/lib/sss" "sssd_var_lib_t" + rlSEMatchPathCon "/var/lib/sss/mc" "sssd_public_t" + rlSEMatchPathCon "/var/lib/sss/mc/group" "sssd_public_t" + rlSEMatchPathCon "/var/lib/sss/pipes" "sssd_var_lib_t" + rlSEMatchPathCon "/var/lib/sss/pipes/nss" "sssd_var_lib_t" + rlSESearchRule "allow plymouthd_t sssd_public_t : dir { getattr search open }" + rlSESearchRule "allow plymouthd_t sssd_public_t : file { getattr open read }" + rlSESearchRule "allow plymouthd_t sssd_var_lib_t : dir { getattr search open }" + rlSESearchRule "allow plymouthd_t sssd_var_lib_t : sock_file { write getattr append open }" + rlPhaseEnd + fi + + if rlIsRHEL 6 ; then + rlPhaseStartTest "bz#1131195" + rlSEMatchPathCon "/var/spool/plymouth/boot.log" "plymouthd_spool_t" + rlSESearchRule "allow xdm_t plymouthd_spool_t : file { getattr }" + rlPhaseEnd + fi + + if ! rlIsRHEL 5 6 ; then + rlPhaseStartTest "bz#1202429" + rlSEMatchPathCon "/dev/ttyUSB0" "usbtty_device_t" + rlSESearchRule "allow plymouthd_t usbtty_device_t : chr_file { read write } [ ]" + rlPhaseEnd + fi + + if ! rlIsRHEL 5 6 ; then + rlPhaseStartTest "bz#1517405" + rlSEMatchPathCon "/dev/fb0" "framebuf_device_t" + rlSESearchRule "allow plymouthd_t framebuf_device_t : chr_file { map } [ ]" + rlPhaseEnd + fi + + if ! rlIsRHEL 5 6 7 ; then + rlPhaseStartTest "bz#1664143" + rlSEMatchPathCon "/sys/firmware/efi/efivars" "efivarfs_t" + rlSESearchRule "allow plymouthd_t efivarfs_t : dir { getattr open search } [ ]" + rlPhaseEnd + fi + + if ! rlIsRHEL 5 6 7 ; then + rlPhaseStartTest "bz#1869814 + bz#1871307" + rlSESearchRule "allow plymouthd_t plymouthd_t : capability { sys_chroot } [ ]" + rlPhaseEnd + fi + + if ! rlIsRHEL 5 6 7 8 ; then + rlPhaseStartTest "bz#2184803" + rlSESearchRule "allow plymouthd_t plymouthd_t : capability2 { bpf } [ ]" + rlPhaseEnd + fi + + if rlIsFedora ; then + rlPhaseStartTest "bz#2256442" + rlSEMatchPathCon "/dev/kmsg" "kmsg_device_t" + rlSESearchRule "allow plymouthd_t kmsg_device_t : chr_file { open read write } [ ]" + rlSESearchRule "allow plymouthd_t kernel_t : system { syslog_read } [ ]" + rlPhaseEnd + fi + + if ! rlIsRHEL 5 6 ; then + rlPhaseStartTest "real scenario -- standalone service" + rlRun "echo ${ROOT_PASSWORD} | passwd --stdin root" + if ! rlSEDefined ${PROCESS_CONTEXT} ; then + # for environments where the SELinux domain does not exist yet + PROCESS_CONTEXT="unconfined_service_t" + fi + rlSEService ${ROOT_PASSWORD} ${SERVICE_NAME} ${PROCESS_NAME} ${PROCESS_CONTEXT} "start status" 1 + rlRun "restorecon -Rv /run /var -e /var/ARTIFACTS" 0-255 + rlSEService ${ROOT_PASSWORD} ${SERVICE_NAME} ${PROCESS_NAME} ${PROCESS_CONTEXT} "restart status stop status" 1 + rlPhaseEnd + fi + + rlPhaseStartCleanup + sleep 2 + rlSECheckAVC + + rlFileRestore + rlServiceRestore ${SERVICE_NAME} + rlPhaseEnd + rlJournalPrintText +rlJournalEnd +