From 72f35b9876ccc405e72952581c3548723b63a431 Mon Sep 17 00:00:00 2001
From: Milos Malik <mmalik@redhat.com>
Date: Nov 25 2020 08:37:47 +0000
Subject: test if root user can run rpmdb successfully


Based on SELinux policy rules, the root/unconfined_t user is expected
to run the rpmdb program. A new test phase tests if such a scenario
works successfully or not. Of course, the rpmdb program recognizes
a lot of options, only the basic ones will be tested here.

---

diff --git a/selinux-policy/rpmdb-and-similar/runtest.sh b/selinux-policy/rpmdb-and-similar/runtest.sh
index 50f1b3e..a40bd81 100755
--- a/selinux-policy/rpmdb-and-similar/runtest.sh
+++ b/selinux-policy/rpmdb-and-similar/runtest.sh
@@ -38,6 +38,8 @@ PROCESS_NAME="rpmdb"
 PROCESS_CONTEXT="rpmdb_t"
 
 rlJournalStart
+    rlLog "If this test fails, please contact mmalik or IRC #selinux"
+    rlLog "This test should fail if tested bugs are NOT fixed yet"
     rlPhaseStartSetup
         rlRun "rlImport 'selinux-policy/common'"
         rlSESatisfyRequires
@@ -68,6 +70,20 @@ rlJournalStart
         rlSEService ${ROOT_PASSWORD} ${SERVICE_NAME} - ${PROCESS_CONTEXT} "restart status stop status" 1
     rlPhaseEnd
 
+    rlPhaseStartTest "rpmdb executed by root/unconfined_t"
+        rlRun "restorecon -Rv /var/lib/rpm"
+        rlRun "rpmdb --help"
+        OUTPUT_FILE=`mktemp`
+        rlRun "rpmdb --exportdb >& ${OUTPUT_FILE}"
+        rlRun "ls -l ${OUTPUT_FILE}"
+        rlRun "ls -dZ /var/lib/rpm | grep :rpm_var_lib_t"
+        rlRun "ls -Z /var/lib/rpm"
+        rlRun "cat ${OUTPUT_FILE} | rpmdb --importdb"
+        rlRun "ls -dZ /var/lib/rpm | grep :rpm_var_lib_t"
+        rlRun "ls -Z /var/lib/rpm"
+        rm -f ${OUTPUT_FILE}
+    rlPhaseEnd
+
     rlPhaseStartCleanup
         sleep 2
         rlSECheckAVC