From 6bfc47d5531087221906676d2395f15710ea70da Mon Sep 17 00:00:00 2001
From: Amith Kumar <apeetham@redhat.com>
Date: Nov 25 2020 12:06:54 +0000
Subject: rsyslog : Add test coverage for rsyslog issues


The rsyslog test suite, at present provides coverage for bugs 1823669
and 1823672. Later more cases will be added from downstream. Bz1823669
highlights the avc issues related rsyslog "imfile" module, which cannot
read parent directories of the file to process. Bz1823672 is also about
AVCs related to browsing the parent directories when rsyslog is
configured to write logs to a custom file.

Signed-off-by: Amith Kumar <apeetham@redhat.com>

---

diff --git a/selinux-policy/rsyslog-and-similar/Makefile b/selinux-policy/rsyslog-and-similar/Makefile
new file mode 100644
index 0000000..71bb017
--- /dev/null
+++ b/selinux-policy/rsyslog-and-similar/Makefile
@@ -0,0 +1,83 @@
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Makefile of /CoreOS/selinux-policy/Regression/rsyslog-and-similar
+#   Description: Upstream coverage for SELinux issues with rsyslog in various configurations
+#   Author: Author: Amith Kumar <apeetham@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2010 Red Hat, Inc. All rights reserved.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+export TEST=/CoreOS/selinux-policy/Regression/rsyslog-and-similar
+export TESTVERSION=1.0
+
+BUILT_FILES=
+
+FILES=$(METADATA) runtest.sh Makefile PURPOSE
+
+.PHONY: all install download clean
+
+run: $(FILES) build
+	./runtest.sh
+
+build: $(BUILT_FILES)
+	chmod a+x runtest.sh
+	chcon -t bin_t runtest.sh
+
+clean:
+	rm -f *~ $(BUILT_FILES)
+
+include /usr/share/rhts/lib/rhts-make.include
+
+$(METADATA): Makefile
+	@echo "Owner:           Amith Kumar <apeetham@redhat.com>" > $(METADATA)
+	@echo "Name:            $(TEST)" >> $(METADATA)
+	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
+	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
+	@echo "Description:     SELinux AVCs with rsyslog in various configurations" >> $(METADATA)
+	@echo "Type:            Regression" >> $(METADATA)
+	@echo "TestTime:        30m" >> $(METADATA)
+	@echo "RunFor:          selinux-policy" >> $(METADATA)
+	@echo "RunFor:          rsyslog" >> $(METADATA)
+	@echo "Requires:        audit" >> $(METADATA)
+	@echo "Requires:        initscripts" >> $(METADATA)
+	@echo "Requires:        libselinux" >> $(METADATA)
+	@echo "Requires:        libselinux-utils" >> $(METADATA)
+	@echo "Requires:        logwatch" >> $(METADATA)
+	@echo "Requires:        policycoreutils" >> $(METADATA)
+	@echo "Requires:        policycoreutils-devel" >> $(METADATA)
+	@echo "Requires:        rsyslog" >> $(METADATA)
+	@echo "Requires:        rsyslog-gnutls" >> $(METADATA)
+	@echo "Requires:        selinux-policy" >> $(METADATA)
+	@echo "Requires:        selinux-policy-targeted" >> $(METADATA)
+	@echo "Requires:        setools" >> $(METADATA)
+	@echo "Requires:        setools-console" >> $(METADATA)
+	@echo "Requires:        shadow-utils" >> $(METADATA)
+	@echo "RhtsRequires:    library(selinux-policy/common)" >> $(METADATA)
+	@echo "Priority:        Normal" >> $(METADATA)
+	@echo "License:         GPLv2" >> $(METADATA)
+	@echo "Confidential:    no" >> $(METADATA)
+	@echo "Destructive:     no" >> $(METADATA)
+	@echo "Environment:     AVC_ERROR=+no_avc_check" >> $(METADATA)
+	@echo "Releases:        -RHEL4" >> $(METADATA)
+	@echo "Bug:             1823669" >> $(METADATA)
+	@echo "Bug:             1823672" >> $(METADATA)
+
+	rhts-lint $(METADATA)
+
diff --git a/selinux-policy/rsyslog-and-similar/PURPOSE b/selinux-policy/rsyslog-and-similar/PURPOSE
new file mode 100644
index 0000000..6a5cc0a
--- /dev/null
+++ b/selinux-policy/rsyslog-and-similar/PURPOSE
@@ -0,0 +1,5 @@
+PURPOSE of /CoreOS/selinux-policy/Regression/rsyslog-and-similar
+Author: Amith Kumar <apeetham@redhat.com>
+
+SELinux interferes with rsyslogd and related programs.
+
diff --git a/selinux-policy/rsyslog-and-similar/main.fmf b/selinux-policy/rsyslog-and-similar/main.fmf
new file mode 100644
index 0000000..621f154
--- /dev/null
+++ b/selinux-policy/rsyslog-and-similar/main.fmf
@@ -0,0 +1,8 @@
+path: /selinux-policy/rsyslog-and-similar
+summary: Test rsyslog service and verify AVC denials
+description: |
+    Test coverage for rsyslog service with different configurations and 
+    verify related SELinux AVC issues.
+relevancy:
+    - "distro = rhel-4, rhel-5, rhel-6, rhel-7: False"
+ 
diff --git a/selinux-policy/rsyslog-and-similar/runtest.sh b/selinux-policy/rsyslog-and-similar/runtest.sh
new file mode 100755
index 0000000..cb40304
--- /dev/null
+++ b/selinux-policy/rsyslog-and-similar/runtest.sh
@@ -0,0 +1,119 @@
+#!/bin/bash
+# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   runtest.sh of /CoreOS/selinux-policy/Regression/rsyslog-and-similar
+#   Description: Test coverage for SELinux AVC issues  with rsyslog in various configurations
+#   Author: Amith Kumar <apeetham@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2010 Red Hat, Inc. All rights reserved.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# Include rhts environment
+. /usr/bin/rhts-environment.sh
+. /usr/share/beakerlib/beakerlib.sh
+
+PACKAGE="selinux-policy"
+
+function custom_policy() {
+cat > rsyslog_imfile_policy.te << EOF
+module rsyslog_imfile_policy 1.0;
+
+require {
+    type syslogd_t;
+    attribute non_security_file_type;
+    class dir { read search };
+}
+
+dontaudit syslogd_t non_security_file_type:dir { read search };
+
+EOF
+make -f /usr/share/selinux/devel/Makefile rsyslog_imfile_policy.pp
+semodule -i rsyslog_imfile_policy.pp
+}
+
+function update_rsys() {
+cat >> /etc/rsyslog.conf << EOF
+
+module(load="imfile")
+
+input(type="imfile"
+        File="/var/www/product/logs/access.log"
+        Tag="product"
+        Severity="info"
+        Facility="local6")
+
+EOF
+}
+
+rlJournalStart
+    rlPhaseStartSetup
+        rlRun "rlImport 'selinux-policy/common'"
+        rlSESatisfyRequires
+        rlAssertRpm ${PACKAGE}
+        rlAssertRpm ${PACKAGE}-targeted
+        rlAssertRpm rsyslog
+        rlAssertRpm rsyslog-gnutls
+        rlServiceStop rsyslog
+        rlSESetEnforce
+        rlSEStatus
+        rlRun "custom_policy"
+        rlSESetTimestamp
+        sleep 2
+    rlPhaseEnd
+
+    rlPhaseStartTest "rsyslog imfile module cannot read parent directories of the file to process bz#1823669"
+        rlRun "cp -rv /etc/rsyslog.conf /etc/rsyslog.conf-orig"
+        tst_Time="$(date '+%T')"
+	rlRun "mkdir -p /var/www/product/logs"
+        rlRun "restorecon -Frv /var/www"
+        rlRun "update_rsys"
+        rlRun "systemctl restart rsyslog"
+        sleep 3
+        rlRun "ausearch -m AVC -m USER_AVC --start $tst_Time" 1
+        rlRun "cp -rv /etc/rsyslog.conf-orig /etc/rsyslog.conf"
+        rlRun "systemctl restart rsyslog"
+    rlPhaseEnd
+
+    rlPhaseStartTest "rsyslog omfile cannot append to custom file locations bz#1823672"
+        rlRun "cp -rv /etc/rsyslog.conf /etc/rsyslog.conf-orig"
+        tst_Time="$(date '+%T')"
+        rlRun "mkdir -p /my/custom/log"
+        rlRun 'semanage fcontext -a -t public_content_rw_t "/my/custom(/.*)?"'
+        rlRun "restorecon -Frv /my"
+        rlRun "echo ' ' >> /etc/rsyslog.conf"
+        rlRun "echo '*.info;mail.none;authpriv.none;cron.none                /my/custom/log/file' >> /etc/rsyslog.conf"
+        rlRun "echo ' ' >> /etc/rsyslog.conf"
+        rlRun "systemctl restart rsyslog"
+        sleep 3
+        rlRun "ausearch -m AVC -m USER_AVC --start $tst_Time" 1
+        rlRun 'semanage fcontext -d -t public_content_rw_t "/my/custom(/.*)?"'
+        rlRun "semodule -r rsyslog_imfile_policy"
+	rlRun "cp -rv /etc/rsyslog.conf-orig /etc/rsyslog.conf"
+        rlRun "systemctl restart rsyslog"
+    rlPhaseEnd
+
+    rlPhaseStartCleanup
+        sleep 2
+        rlSECheckAVC
+        rlRun "rm -rf /var/www/product /my /etc/rsyslog.conf-orig"
+    rlPhaseEnd
+    rlJournalPrintText
+rlJournalEnd