|
 |
6bfc47d |
#!/bin/bash
|
|
|
6bfc47d |
# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
|
|
6bfc47d |
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
6bfc47d |
#
|
|
|
6bfc47d |
# runtest.sh of /CoreOS/selinux-policy/Regression/rsyslog-and-similar
|
|
|
6bfc47d |
# Description: Test coverage for SELinux AVC issues with rsyslog in various configurations
|
|
|
6bfc47d |
# Author: Amith Kumar <apeetham@redhat.com>
|
|
|
6bfc47d |
#
|
|
|
6bfc47d |
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
6bfc47d |
#
|
|
|
6bfc47d |
# Copyright (c) 2010 Red Hat, Inc. All rights reserved.
|
|
|
6bfc47d |
#
|
|
|
6bfc47d |
# This copyrighted material is made available to anyone wishing
|
|
|
6bfc47d |
# to use, modify, copy, or redistribute it subject to the terms
|
|
|
6bfc47d |
# and conditions of the GNU General Public License version 2.
|
|
|
6bfc47d |
#
|
|
|
6bfc47d |
# This program is distributed in the hope that it will be
|
|
|
6bfc47d |
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
|
|
6bfc47d |
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
|
|
6bfc47d |
# PURPOSE. See the GNU General Public License for more details.
|
|
|
6bfc47d |
#
|
|
|
6bfc47d |
# You should have received a copy of the GNU General Public
|
|
|
6bfc47d |
# License along with this program; if not, write to the Free
|
|
|
6bfc47d |
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
|
|
6bfc47d |
# Boston, MA 02110-1301, USA.
|
|
|
6bfc47d |
#
|
|
|
6bfc47d |
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
6bfc47d |
|
|
|
6bfc47d |
# Include rhts environment
|
|
|
6bfc47d |
. /usr/share/beakerlib/beakerlib.sh
|
|
|
6bfc47d |
|
|
|
6bfc47d |
PACKAGE="selinux-policy"
|
|
|
6bfc47d |
|
|
|
6bfc47d |
function custom_policy() {
|
|
|
6bfc47d |
cat > rsyslog_imfile_policy.te << EOF
|
|
|
6bfc47d |
module rsyslog_imfile_policy 1.0;
|
|
|
6bfc47d |
|
|
|
6bfc47d |
require {
|
|
|
6bfc47d |
type syslogd_t;
|
|
|
6bfc47d |
attribute non_security_file_type;
|
|
|
6bfc47d |
class dir { read search };
|
|
|
6bfc47d |
}
|
|
|
6bfc47d |
|
|
|
6bfc47d |
dontaudit syslogd_t non_security_file_type:dir { read search };
|
|
|
6bfc47d |
|
|
|
6bfc47d |
EOF
|
|
|
6bfc47d |
make -f /usr/share/selinux/devel/Makefile rsyslog_imfile_policy.pp
|
|
|
6bfc47d |
semodule -i rsyslog_imfile_policy.pp
|
|
|
6bfc47d |
}
|
|
|
6bfc47d |
|
|
|
6bfc47d |
function update_rsys() {
|
|
|
6bfc47d |
cat >> /etc/rsyslog.conf << EOF
|
|
|
6bfc47d |
|
|
|
6bfc47d |
module(load="imfile")
|
|
|
6bfc47d |
|
|
|
6bfc47d |
input(type="imfile"
|
|
|
6bfc47d |
File="/var/www/product/logs/access.log"
|
|
|
6bfc47d |
Tag="product"
|
|
|
6bfc47d |
Severity="info"
|
|
|
6bfc47d |
Facility="local6")
|
|
|
6bfc47d |
|
|
|
6bfc47d |
EOF
|
|
|
6bfc47d |
}
|
|
|
6bfc47d |
|
|
|
6bfc47d |
rlJournalStart
|
|
|
6bfc47d |
rlPhaseStartSetup
|
|
|
6bfc47d |
rlRun "rlImport 'selinux-policy/common'"
|
|
|
6bfc47d |
rlSESatisfyRequires
|
|
|
6bfc47d |
rlAssertRpm ${PACKAGE}
|
|
|
6bfc47d |
rlAssertRpm ${PACKAGE}-targeted
|
|
|
6bfc47d |
rlAssertRpm rsyslog
|
|
|
6bfc47d |
rlAssertRpm rsyslog-gnutls
|
|
|
6bfc47d |
rlServiceStop rsyslog
|
|
|
6bfc47d |
rlSESetEnforce
|
|
|
6bfc47d |
rlSEStatus
|
|
|
6bfc47d |
rlRun "custom_policy"
|
|
|
6bfc47d |
rlSESetTimestamp
|
|
|
6bfc47d |
sleep 2
|
|
|
6bfc47d |
rlPhaseEnd
|
|
|
6bfc47d |
|
|
|
6bfc47d |
rlPhaseStartTest "rsyslog imfile module cannot read parent directories of the file to process bz#1823669"
|
|
|
6bfc47d |
rlRun "cp -rv /etc/rsyslog.conf /etc/rsyslog.conf-orig"
|
|
|
6bfc47d |
tst_Time="$(date '+%T')"
|
|
|
6bfc47d |
rlRun "mkdir -p /var/www/product/logs"
|
|
|
6bfc47d |
rlRun "restorecon -Frv /var/www"
|
|
|
6bfc47d |
rlRun "update_rsys"
|
|
|
6bfc47d |
rlRun "systemctl restart rsyslog"
|
|
|
6bfc47d |
sleep 3
|
|
 |
2132272 |
rlRun "ausearch -m AVC --start $tst_Time" 1
|
|
|
6bfc47d |
rlRun "cp -rv /etc/rsyslog.conf-orig /etc/rsyslog.conf"
|
|
|
6bfc47d |
rlRun "systemctl restart rsyslog"
|
|
|
6bfc47d |
rlPhaseEnd
|
|
|
6bfc47d |
|
|
|
6bfc47d |
rlPhaseStartTest "rsyslog omfile cannot append to custom file locations bz#1823672"
|
|
|
145822c |
rlRun "setsebool logging_syslogd_append_public_content on"
|
|
|
6bfc47d |
rlRun "cp -rv /etc/rsyslog.conf /etc/rsyslog.conf-orig"
|
|
|
6bfc47d |
tst_Time="$(date '+%T')"
|
|
|
6bfc47d |
rlRun "mkdir -p /my/custom/log"
|
|
|
145822c |
rlRun "touch /my/custom/log/file"
|
|
|
6bfc47d |
rlRun 'semanage fcontext -a -t public_content_rw_t "/my/custom(/.*)?"'
|
|
|
6bfc47d |
rlRun "restorecon -Frv /my"
|
|
|
6bfc47d |
rlRun "echo ' ' >> /etc/rsyslog.conf"
|
|
|
6bfc47d |
rlRun "echo '*.info;mail.none;authpriv.none;cron.none /my/custom/log/file' >> /etc/rsyslog.conf"
|
|
|
6bfc47d |
rlRun "echo ' ' >> /etc/rsyslog.conf"
|
|
|
6bfc47d |
rlRun "systemctl restart rsyslog"
|
|
|
6bfc47d |
sleep 3
|
|
|
2132272 |
rlRun "ausearch -m AVC --start $tst_Time" 1
|
|
|
6bfc47d |
rlRun 'semanage fcontext -d -t public_content_rw_t "/my/custom(/.*)?"'
|
|
|
6bfc47d |
rlRun "semodule -r rsyslog_imfile_policy"
|
|
|
145822c |
rlRun "cp -rv /etc/rsyslog.conf-orig /etc/rsyslog.conf"
|
|
|
6bfc47d |
rlRun "systemctl restart rsyslog"
|
|
|
145822c |
rlRun "setsebool logging_syslogd_append_public_content off"
|
|
|
6bfc47d |
rlPhaseEnd
|
|
|
6bfc47d |
|
|
|
6bfc47d |
rlPhaseStartCleanup
|
|
|
6bfc47d |
sleep 2
|
|
|
6bfc47d |
rlSECheckAVC
|
|
|
6bfc47d |
rlRun "rm -rf /var/www/product /my /etc/rsyslog.conf-orig"
|
|
|
6bfc47d |
rlPhaseEnd
|
|
|
6bfc47d |
rlJournalPrintText
|
|
|
6bfc47d |
rlJournalEnd
|