From 37878fa9ccee673eaa81de2347c204fb74a13e17 Mon Sep 17 00:00:00 2001
From: Milos Malik <mmalik@redhat.com>
Date: Dec 14 2020 11:17:12 +0000
Subject: test if dhclient-script can execute chronyc


When the root user runs dhclient, SELinux denials related to chronyc
are triggered, because SELinux policy does not allow dhclient-script
to find and execute chronyc.

I believe that SELinux policy should define a transition from dhcpc_t
to chronyc_t, which allows the chronyc program to run under the correct
context and do actions which are expected.

The TC covers BZ#1897388. The TC reproduces the issue described above
and it also looks for appropriate policy rules.

---

diff --git a/selinux-policy/dhclient-and-similar/Makefile b/selinux-policy/dhclient-and-similar/Makefile
index 9a1b4c3..4779e3c 100644
--- a/selinux-policy/dhclient-and-similar/Makefile
+++ b/selinux-policy/dhclient-and-similar/Makefile
@@ -62,6 +62,7 @@ $(METADATA): Makefile
 	@echo "Confidential:    no" >> $(METADATA)
 	@echo "Destructive:     no" >> $(METADATA)
 	@echo "Releases:        -RHEL4 -RHEL5 -RHEL6 -RHEL7" >> $(METADATA)
+	@echo "Bug:             1897388" >> $(METADATA) # Fedora 33
 
 	rhts-lint $(METADATA)
 
diff --git a/selinux-policy/dhclient-and-similar/main.fmf b/selinux-policy/dhclient-and-similar/main.fmf
new file mode 100644
index 0000000..d61123a
--- /dev/null
+++ b/selinux-policy/dhclient-and-similar/main.fmf
@@ -0,0 +1,2 @@
+path: /selinux-policy/dhclient-and-similar
+tier: 2
diff --git a/selinux-policy/dhclient-and-similar/runtest.sh b/selinux-policy/dhclient-and-similar/runtest.sh
index d2caa8b..4db364a 100755
--- a/selinux-policy/dhclient-and-similar/runtest.sh
+++ b/selinux-policy/dhclient-and-similar/runtest.sh
@@ -53,16 +53,25 @@ rlJournalStart
         sleep 2
     rlPhaseEnd
 
-    rlPhaseStartTest "real scenario -- runcon under root"
+    rlPhaseStartTest "bz#1897388"
+        rlSEMatchPathCon "/usr/sbin/dhclient-script" "dhcpc_exec_t"
+        rlSEMatchPathCon "/usr/bin/chronyc" "chronyc_exec_t"
+        rlSESearchRule "allow dhcpc_t chronyc_exec_t : file { getattr open read execute } [ ]"
+        rlSESearchRule "type_transition dhcpc_t chronyc_exec_t : process chronyc_t"
+        rlSESearchRule "allow dhcpc_t chronyc_t : process { transition } [ ]"
+    rlPhaseEnd
+
+    rlPhaseStartTest "real scenario"
         rlRun "dhclient"
-        sleep 5
-        rlRun "killall dhclient"
+        DHCLIENT_PID=`pgrep dhclient`
+        rlRun "ps -efZ | grep dhclient"
+        rlRun "ps -efZ | grep ':dhcpc_t:.*dhclient'"
     rlPhaseEnd
 
     rlPhaseStartCleanup
         sleep 2
         rlSECheckAVC
-
+        kill ${DHCLIENT_PID}
         rlServiceRestore ${SERVICE_NAME}
     rlPhaseEnd
 rlJournalPrintText