diff --git a/selinux-policy/rsyslog-and-similar/Makefile b/selinux-policy/rsyslog-and-similar/Makefile new file mode 100644 index 0000000..71bb017 --- /dev/null +++ b/selinux-policy/rsyslog-and-similar/Makefile @@ -0,0 +1,83 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/selinux-policy/Regression/rsyslog-and-similar +# Description: Upstream coverage for SELinux issues with rsyslog in various configurations +# Author: Author: Amith Kumar +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2010 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/selinux-policy/Regression/rsyslog-and-similar +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + chmod a+x runtest.sh + chcon -t bin_t runtest.sh + +clean: + rm -f *~ $(BUILT_FILES) + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Amith Kumar " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: SELinux AVCs with rsyslog in various configurations" >> $(METADATA) + @echo "Type: Regression" >> $(METADATA) + @echo "TestTime: 30m" >> $(METADATA) + @echo "RunFor: selinux-policy" >> $(METADATA) + @echo "RunFor: rsyslog" >> $(METADATA) + @echo "Requires: audit" >> $(METADATA) + @echo "Requires: initscripts" >> $(METADATA) + @echo "Requires: libselinux" >> $(METADATA) + @echo "Requires: libselinux-utils" >> $(METADATA) + @echo "Requires: logwatch" >> $(METADATA) + @echo "Requires: policycoreutils" >> $(METADATA) + @echo "Requires: policycoreutils-devel" >> $(METADATA) + @echo "Requires: rsyslog" >> $(METADATA) + @echo "Requires: rsyslog-gnutls" >> $(METADATA) + @echo "Requires: selinux-policy" >> $(METADATA) + @echo "Requires: selinux-policy-targeted" >> $(METADATA) + @echo "Requires: setools" >> $(METADATA) + @echo "Requires: setools-console" >> $(METADATA) + @echo "Requires: shadow-utils" >> $(METADATA) + @echo "RhtsRequires: library(selinux-policy/common)" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + @echo "Environment: AVC_ERROR=+no_avc_check" >> $(METADATA) + @echo "Releases: -RHEL4" >> $(METADATA) + @echo "Bug: 1823669" >> $(METADATA) + @echo "Bug: 1823672" >> $(METADATA) + + rhts-lint $(METADATA) + diff --git a/selinux-policy/rsyslog-and-similar/PURPOSE b/selinux-policy/rsyslog-and-similar/PURPOSE new file mode 100644 index 0000000..6a5cc0a --- /dev/null +++ b/selinux-policy/rsyslog-and-similar/PURPOSE @@ -0,0 +1,5 @@ +PURPOSE of /CoreOS/selinux-policy/Regression/rsyslog-and-similar +Author: Amith Kumar + +SELinux interferes with rsyslogd and related programs. + diff --git a/selinux-policy/rsyslog-and-similar/main.fmf b/selinux-policy/rsyslog-and-similar/main.fmf new file mode 100644 index 0000000..621f154 --- /dev/null +++ b/selinux-policy/rsyslog-and-similar/main.fmf @@ -0,0 +1,8 @@ +path: /selinux-policy/rsyslog-and-similar +summary: Test rsyslog service and verify AVC denials +description: | + Test coverage for rsyslog service with different configurations and + verify related SELinux AVC issues. +relevancy: + - "distro = rhel-4, rhel-5, rhel-6, rhel-7: False" + diff --git a/selinux-policy/rsyslog-and-similar/runtest.sh b/selinux-policy/rsyslog-and-similar/runtest.sh new file mode 100755 index 0000000..cb40304 --- /dev/null +++ b/selinux-policy/rsyslog-and-similar/runtest.sh @@ -0,0 +1,119 @@ +#!/bin/bash +# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/selinux-policy/Regression/rsyslog-and-similar +# Description: Test coverage for SELinux AVC issues with rsyslog in various configurations +# Author: Amith Kumar +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2010 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include rhts environment +. /usr/bin/rhts-environment.sh +. /usr/share/beakerlib/beakerlib.sh + +PACKAGE="selinux-policy" + +function custom_policy() { +cat > rsyslog_imfile_policy.te << EOF +module rsyslog_imfile_policy 1.0; + +require { + type syslogd_t; + attribute non_security_file_type; + class dir { read search }; +} + +dontaudit syslogd_t non_security_file_type:dir { read search }; + +EOF +make -f /usr/share/selinux/devel/Makefile rsyslog_imfile_policy.pp +semodule -i rsyslog_imfile_policy.pp +} + +function update_rsys() { +cat >> /etc/rsyslog.conf << EOF + +module(load="imfile") + +input(type="imfile" + File="/var/www/product/logs/access.log" + Tag="product" + Severity="info" + Facility="local6") + +EOF +} + +rlJournalStart + rlPhaseStartSetup + rlRun "rlImport 'selinux-policy/common'" + rlSESatisfyRequires + rlAssertRpm ${PACKAGE} + rlAssertRpm ${PACKAGE}-targeted + rlAssertRpm rsyslog + rlAssertRpm rsyslog-gnutls + rlServiceStop rsyslog + rlSESetEnforce + rlSEStatus + rlRun "custom_policy" + rlSESetTimestamp + sleep 2 + rlPhaseEnd + + rlPhaseStartTest "rsyslog imfile module cannot read parent directories of the file to process bz#1823669" + rlRun "cp -rv /etc/rsyslog.conf /etc/rsyslog.conf-orig" + tst_Time="$(date '+%T')" + rlRun "mkdir -p /var/www/product/logs" + rlRun "restorecon -Frv /var/www" + rlRun "update_rsys" + rlRun "systemctl restart rsyslog" + sleep 3 + rlRun "ausearch -m AVC -m USER_AVC --start $tst_Time" 1 + rlRun "cp -rv /etc/rsyslog.conf-orig /etc/rsyslog.conf" + rlRun "systemctl restart rsyslog" + rlPhaseEnd + + rlPhaseStartTest "rsyslog omfile cannot append to custom file locations bz#1823672" + rlRun "cp -rv /etc/rsyslog.conf /etc/rsyslog.conf-orig" + tst_Time="$(date '+%T')" + rlRun "mkdir -p /my/custom/log" + rlRun 'semanage fcontext -a -t public_content_rw_t "/my/custom(/.*)?"' + rlRun "restorecon -Frv /my" + rlRun "echo ' ' >> /etc/rsyslog.conf" + rlRun "echo '*.info;mail.none;authpriv.none;cron.none /my/custom/log/file' >> /etc/rsyslog.conf" + rlRun "echo ' ' >> /etc/rsyslog.conf" + rlRun "systemctl restart rsyslog" + sleep 3 + rlRun "ausearch -m AVC -m USER_AVC --start $tst_Time" 1 + rlRun 'semanage fcontext -d -t public_content_rw_t "/my/custom(/.*)?"' + rlRun "semodule -r rsyslog_imfile_policy" + rlRun "cp -rv /etc/rsyslog.conf-orig /etc/rsyslog.conf" + rlRun "systemctl restart rsyslog" + rlPhaseEnd + + rlPhaseStartCleanup + sleep 2 + rlSECheckAVC + rlRun "rm -rf /var/www/product /my /etc/rsyslog.conf-orig" + rlPhaseEnd + rlJournalPrintText +rlJournalEnd