[tests/selinux] main: test if the bootupd service can talk to SSSD

[Milos Malik <mmalik@redhat.com>]

            A new commit has been pushed.

            Repo   : tests/selinux
            Branch : main
            Commit : f03d5ff12b0f0e7e13043e356919290493839d48
            Author : Milos Malik <mmalik@redhat.com>
            Date   : 2026-06-29T12:14:27+00:00
            Stats  : +14/-0 in 3 file(s)
            URL    : https://src.fedoraproject.org/tests/selinux/c/f03d5ff12b0f0e7e13043e356919290493839d48?branch=main

            Log:
            test if the bootupd service can talk to SSSD

A recently filed bug report revealed that SELinux prevents the
bootupd service and its children processes from talking to SSSD.
The TC reproduces the situation on machines created by bootc.

In order to support this scenario, I believe that SELinux policy
should allow the necessary access. The TC looks for appropriate
policy rules and file context patterns.

The TC covers RHEL-174888.

---
diff --git a/selinux-policy/bootupd-and-similar/Makefile b/selinux-policy/bootupd-and-similar/Makefile
index 2134c06..68ea1c9 100644
--- a/selinux-policy/bootupd-and-similar/Makefile
+++ b/selinux-policy/bootupd-and-similar/Makefile
@@ -69,6 +69,7 @@ $(METADATA): Makefile
 	@echo "Bug:             RHEL-39514" >> $(METADATA) # RHEL-10
 	@echo "Bug:             RHEL-66584" >> $(METADATA) # RHEL-9
 	@echo "Bug:             RHEL-70849" >> $(METADATA) # RHEL-9
+	@echo "Bug:             RHEL-174888" >> $(METADATA) # RHEL-9
 
 	rhts-lint $(METADATA)
 

diff --git a/selinux-policy/bootupd-and-similar/main.fmf b/selinux-policy/bootupd-and-similar/main.fmf
index 6f814d7..52e576e 100644
--- a/selinux-policy/bootupd-and-similar/main.fmf
+++ b/selinux-policy/bootupd-and-similar/main.fmf
@@ -41,6 +41,7 @@ link:
   - verifies: https://issues.redhat.com/browse/RHEL-39514
   - verifies: https://issues.redhat.com/browse/RHEL-66584
   - verifies: https://issues.redhat.com/browse/RHEL-70849
+  - verifies: https://issues.redhat.com/browse/RHEL-174888
 adjust+:
   - enabled: false
     when: distro == rhel-4, rhel-5, rhel-6, rhel-7, rhel-8, centos-stream-8

diff --git a/selinux-policy/bootupd-and-similar/runtest.sh b/selinux-policy/bootupd-and-similar/runtest.sh
index 73e5322..f2b2767 100755
--- a/selinux-policy/bootupd-and-similar/runtest.sh
+++ b/selinux-policy/bootupd-and-similar/runtest.sh
@@ -123,6 +123,18 @@ rlJournalStart
         rlSESearchRule "type_transition bootupd_t bootloader_exec_t : process bootloader_t"
         rlSESearchRule "allow bootupd_t bootloader_t : process { transition } [ ]"
     rlPhaseEnd
+
+    rlPhaseStartTest "RHEL-174888"
+        rlSEMatchPathCon "/usr/bin/lsblk" "bin_t"
+        rlSEMatchPathCon "/etc/passwd" "passwd_file_t"
+        rlSEMatchPathCon "/run/mount/utab" "mount_var_run_t"
+        rlSEMatchPathCon "/var/lib/sss/mc/passwd" "sssd_public_t"
+        rlSEMatchPathCon "/var/lib/sss" "sssd_var_lib_t"
+        rlSESearchRule "allow bootupd_t mount_var_run_t : dir { search } [ ]"
+        rlSESearchRule "allow bootupd_t passwd_file_t : file { getattr open read } [ ]"
+        rlSESearchRule "allow bootupd_t sssd_public_t : dir { search } [ ]"
+        rlSESearchRule "allow bootupd_t sssd_var_lib_t : dir { search } [ ]"
+    rlPhaseEnd
     fi
 
     if [ -f /usr/lib/systemd/system/${SERVICE_NAME}.service ] ; then