From 8c8d3ba91ee770cf4c3e14aceab39a7d412e4b45 Mon Sep 17 00:00:00 2001 From: Milos Malik Date: Oct 20 2020 19:09:39 +0000 Subject: test if fapolicyd can talk to D-bus daemon Based on the content of reported SELinux denials, the fapolicyd service (after its start) wants to communicate with D-bus daemon, but SELinux policy does not allow that action. I believe this behaviour is expected and it should be allowed in fapolicyd SELinux module. The automated TC looks for appropriate allow rules and it also reproduces the issue. The TC covers BZ#1874491. --- diff --git a/selinux-policy/fapolicyd-and-similar/Makefile b/selinux-policy/fapolicyd-and-similar/Makefile index d75d14e..aa9fa7a 100644 --- a/selinux-policy/fapolicyd-and-similar/Makefile +++ b/selinux-policy/fapolicyd-and-similar/Makefile @@ -64,6 +64,7 @@ $(METADATA): Makefile @echo "Destructive: no" >> $(METADATA) @echo "Releases: -RHEL4 -RHEL5 -RHEL6 -RHEL7" >> $(METADATA) @echo "Bug: 1865818" >> $(METADATA) # RHEL-8 + @echo "Bug: 1874491" >> $(METADATA) # Fedora 33 rhts-lint $(METADATA) diff --git a/selinux-policy/fapolicyd-and-similar/runtest.sh b/selinux-policy/fapolicyd-and-similar/runtest.sh index 3e69b01..f8ed470 100755 --- a/selinux-policy/fapolicyd-and-similar/runtest.sh +++ b/selinux-policy/fapolicyd-and-similar/runtest.sh @@ -63,6 +63,15 @@ rlJournalStart rlSESearchRule "allow ${PROCESS_CONTEXT} net_conf_t : lnk_file { getattr read } [ ]" rlPhaseEnd + rlPhaseStartTest "bz#1874491" + rlSEMatchPathCon "/usr/sbin/fapolicyd" ${FILE_CONTEXT} + rlSEMatchPathCon "/run/dbus/system_bus_socket" "system_dbusd_var_run_t" + rlSESearchRule "allow fapolicyd_t system_dbusd_var_run_t : sock_file { write } [ ]" + rlSESearchRule "allow fapolicyd_t system_dbusd_t : unix_stream_socket { connectto } [ ]" + rlSESearchRule "allow fapolicyd_t system_dbusd_t : dbus { send_msg } [ ]" + rlSESearchRule "allow system_dbusd_t fapolicyd_t : dbus { send_msg } [ ]" + rlPhaseEnd + rlPhaseStartTest "real scenario -- standalone service" rlRun "echo ${ROOT_PASSWORD} | passwd --stdin root" if ! rlSEDefined ${PROCESS_CONTEXT} ; then