-
Bug
-
Resolution: Unresolved
-
Normal
-
None
-
rhel-10.0.beta
-
None
-
Yes
-
Moderate
-
rhel-sst-security-special-projects
-
ssg_security
-
None
-
False
-
-
None
-
None
-
None
-
None
-
-
All
-
None
What were you trying to do that didn't work?
When it's comparing to previous version of fapolicyd on RHEL-9.5.. rules in rules-d dir behave differently in case of upgrading/removing fapolicyd to newer package and using custom/default rules.
For example after removing fapolicyd rpm rules-d dir should be empty and not containing rules.
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: uninstall - default rules :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: [ 07:19:13 ] :: [ PASS ] :: Command 'rm -rf /etc/fapolicyd' (Expected 0, got 0) :: [ 07:19:22 ] :: [ PASS ] :: Command 'yum install fapolicyd-1.3.3-101.el10 -y --allowerasing' (Expected 0, got 0) :: [ 07:19:25 ] :: [ PASS ] :: Command 'yum reinstall fapolicyd-1.3.3-101.el10 -y --allowerasing' (Expected 0, got 0) :: [ 07:19:25 ] :: [ PASS ] :: Command 'ls -la /etc/fapolicyd/' (Expected 0, got 0) :: [ 07:19:25 ] :: [ PASS ] :: Command 'ls -la /etc/fapolicyd/rules.d/' (Expected 0, got 0) :: [ 07:19:25 ] :: [ PASS ] :: Command 'cat /etc/fapolicyd/rules.d/95-allow-open.rules' (Expected 0, got 0) :: [ 07:19:25 ] :: [ PASS ] :: File '/var/tmp/rlRun_LOG.MmDpMrtF' should contain 'allow perm=open' :: [ 07:19:32 ] :: [ PASS ] :: Command 'yum remove fapolicyd -y' (Expected 0, got 0) :: [ 07:19:32 ] :: [ PASS ] :: Command 'ls -la /etc/fapolicyd/' (Expected 0-255, got 0) :: [ 07:19:32 ] :: [ PASS ] :: Command 'ls -la /etc/fapolicyd/rules.d/' (Expected 0-255, got 0) :: [ 07:19:32 ] :: [ FAIL ] :: rules are deployed into /etc/fapolicyd/rules.d (Assert: '11' should equal '0') ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Then for example upgrade rpm from old version and using removed rules, there shouln't be any rules.
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: upgrade from old version - changed rules :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: [ 07:14:36 ] :: [ PASS ] :: Command 'rm -rf /etc/fapolicyd' (Expected 0, got 0) :: [ 07:14:46 ] :: [ PASS ] :: Command 'yum install fapolicyd-1.3.2-4.el10 -y --allowerasing' (Expected 0, got 0) :: [ 07:14:48 ] :: [ PASS ] :: Command 'yum reinstall fapolicyd-1.3.2-4.el10 -y --allowerasing' (Expected 0, got 0) :: [ 07:14:48 ] :: [ PASS ] :: Command 'ls -la /etc/fapolicyd/' (Expected 0, got 0) :: [ 07:14:57 ] :: [ PASS ] :: Command 'yum install fapolicyd-1.3.3-101.el10 -y --allowerasing' (Expected 0, got 0) :: [ 07:14:57 ] :: [ PASS ] :: Command 'ls -la /etc/fapolicyd/' (Expected 0, got 0) :: [ 07:14:57 ] :: [ PASS ] :: Command 'ls -la /etc/fapolicyd/rules.d/' (Expected 0, got 0) :: [ 07:14:57 ] :: [ PASS ] :: File /etc/fapolicyd/fapolicyd.rules should exist :: [ 07:14:57 ] :: [ FAIL ] :: rules are deployed into /etc/fapolicyd/rules.d (Assert: '11' should equal '0')
And Then for upgrading rpm to new version and using updated default rules, rules-d should be updated.
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: upgrade to new version - updated default rules :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: [ 07:17:28 ] :: [ PASS ] :: Command 'rm -rf /etc/fapolicyd' (Expected 0, got 0) :: [ 07:17:37 ] :: [ PASS ] :: Command 'yum install fapolicyd-1.3.3-101.el10 -y --allowerasing' (Expected 0, got 0) :: [ 07:17:39 ] :: [ PASS ] :: Command 'yum reinstall fapolicyd-1.3.3-101.el10 -y --allowerasing' (Expected 0, got 0) :: [ 07:17:39 ] :: [ PASS ] :: Command 'ls -la /etc/fapolicyd/' (Expected 0, got 0) :: [ 07:17:39 ] :: [ PASS ] :: Command 'ls -la /etc/fapolicyd/rules.d/' (Expected 0, got 0) :: [ 07:17:39 ] :: [ PASS ] :: Command 'cat /etc/fapolicyd/rules.d/95-allow-open.rules' (Expected 0, got 0) :: [ 07:17:39 ] :: [ PASS ] :: File '/var/tmp/rlRun_LOG.WlGZv9BY' should contain 'allow perm=open' :: [ 07:17:48 ] :: [ PASS ] :: Command 'yum install fapolicyd-1.3.3-101.el10_99.x86_64 -y --allowerasing' (Expected 0, got 0) :: [ 07:17:48 ] :: [ PASS ] :: Command 'ls -la /etc/fapolicyd/' (Expected 0, got 0) :: [ 07:17:48 ] :: [ PASS ] :: Command 'ls -la /etc/fapolicyd/rules.d/' (Expected 0, got 0) :: [ 07:17:48 ] :: [ PASS ] :: Command 'cat /etc/fapolicyd/rules.d/95-allow-open.rules' (Expected 0, got 0) :: [ 07:17:48 ] :: [ FAIL ] :: File '/var/tmp/rlRun_LOG.8M8QXgSg' should not contain 'allow perm=open' :: [ 07:17:48 ] :: [ FAIL ] :: File '/var/tmp/rlRun_LOG.8M8QXgSg' should contain 'allow perm=any'
Please provide the package NVR for which bug is seen:
rpm -qa | grep fapolicyd rpm-plugin-fapolicyd-4.19.1.1-2.el10.x86_64 fapolicyd-selinux-1.3.3-101.el10.noarch fapolicyd-1.3.3-101.el10.x86_64
How reproducible:
Always, via automated test case.
Steps to reproduce
- git clone https://github.com/RedHat-SP-Security/fapolicyd-tests.git
- tmt --context distro=RHEL-10.0 run plan --default -vvv prepare discover -h fmf -t /Sanity/rules-d -vv provision -h connect -g IP -u USER -p PASSWORD execute --how tmt --interactive login report --how junit finish
NOTE: System need to have enable rhel-buildroot.
Expected results
Fapolicyd test scenario will PASS
Actual results
Fapolicyd test scenario FAILED
