public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
* [tests/selinux] main: test if the bootupd service can talk to SSSD
@ 2026-06-29 13:09 Milos Malik
0 siblings, 0 replies; only message in thread
From: Milos Malik @ 2026-06-29 13:09 UTC (permalink / raw)
To: git-commits
A new commit has been pushed.
Repo : tests/selinux
Branch : main
Commit : f03d5ff12b0f0e7e13043e356919290493839d48
Author : Milos Malik <mmalik@redhat.com>
Date : 2026-06-29T12:14:27+00:00
Stats : +14/-0 in 3 file(s)
URL : https://src.fedoraproject.org/tests/selinux/c/f03d5ff12b0f0e7e13043e356919290493839d48?branch=main
Log:
test if the bootupd service can talk to SSSD
A recently filed bug report revealed that SELinux prevents the
bootupd service and its children processes from talking to SSSD.
The TC reproduces the situation on machines created by bootc.
In order to support this scenario, I believe that SELinux policy
should allow the necessary access. The TC looks for appropriate
policy rules and file context patterns.
The TC covers RHEL-174888.
---
diff --git a/selinux-policy/bootupd-and-similar/Makefile b/selinux-policy/bootupd-and-similar/Makefile
index 2134c06..68ea1c9 100644
--- a/selinux-policy/bootupd-and-similar/Makefile
+++ b/selinux-policy/bootupd-and-similar/Makefile
@@ -69,6 +69,7 @@ $(METADATA): Makefile
@echo "Bug: RHEL-39514" >> $(METADATA) # RHEL-10
@echo "Bug: RHEL-66584" >> $(METADATA) # RHEL-9
@echo "Bug: RHEL-70849" >> $(METADATA) # RHEL-9
+ @echo "Bug: RHEL-174888" >> $(METADATA) # RHEL-9
rhts-lint $(METADATA)
diff --git a/selinux-policy/bootupd-and-similar/main.fmf b/selinux-policy/bootupd-and-similar/main.fmf
index 6f814d7..52e576e 100644
--- a/selinux-policy/bootupd-and-similar/main.fmf
+++ b/selinux-policy/bootupd-and-similar/main.fmf
@@ -41,6 +41,7 @@ link:
- verifies: https://issues.redhat.com/browse/RHEL-39514
- verifies: https://issues.redhat.com/browse/RHEL-66584
- verifies: https://issues.redhat.com/browse/RHEL-70849
+ - verifies: https://issues.redhat.com/browse/RHEL-174888
adjust+:
- enabled: false
when: distro == rhel-4, rhel-5, rhel-6, rhel-7, rhel-8, centos-stream-8
diff --git a/selinux-policy/bootupd-and-similar/runtest.sh b/selinux-policy/bootupd-and-similar/runtest.sh
index 73e5322..f2b2767 100755
--- a/selinux-policy/bootupd-and-similar/runtest.sh
+++ b/selinux-policy/bootupd-and-similar/runtest.sh
@@ -123,6 +123,18 @@ rlJournalStart
rlSESearchRule "type_transition bootupd_t bootloader_exec_t : process bootloader_t"
rlSESearchRule "allow bootupd_t bootloader_t : process { transition } [ ]"
rlPhaseEnd
+
+ rlPhaseStartTest "RHEL-174888"
+ rlSEMatchPathCon "/usr/bin/lsblk" "bin_t"
+ rlSEMatchPathCon "/etc/passwd" "passwd_file_t"
+ rlSEMatchPathCon "/run/mount/utab" "mount_var_run_t"
+ rlSEMatchPathCon "/var/lib/sss/mc/passwd" "sssd_public_t"
+ rlSEMatchPathCon "/var/lib/sss" "sssd_var_lib_t"
+ rlSESearchRule "allow bootupd_t mount_var_run_t : dir { search } [ ]"
+ rlSESearchRule "allow bootupd_t passwd_file_t : file { getattr open read } [ ]"
+ rlSESearchRule "allow bootupd_t sssd_public_t : dir { search } [ ]"
+ rlSESearchRule "allow bootupd_t sssd_var_lib_t : dir { search } [ ]"
+ rlPhaseEnd
fi
if [ -f /usr/lib/systemd/system/${SERVICE_NAME}.service ] ; then
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2026-06-29 13:09 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-06-29 13:09 [tests/selinux] main: test if the bootupd service can talk to SSSD Milos Malik
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox