From 5fc4b5a48e47c310506c9dd8fd0e94f5071f590a Mon Sep 17 00:00:00 2001
From: Milos Malik <mmalik@redhat.com>
Date: Nov 07 2023 08:33:04 +0000
Subject: test fcontext equivalences via the restorecond service


A recent bug report revealed that the restorecond service (after its
start) mislabels files in the /usr/bin/ directory when its configuration
file (/etc/selinux/restorecond.conf) contains the following line:
/bin/*

Further investigation revealed that the problem is caused by the
selinux-policy component which does not define a file context
equivalency between /bin and /usr/bin (/bin is a symlink to /usr/bin).

The TC reproduces the situation and it also tests other symlinks which
are present in /. The restorecond service behaved correctly the whole
time.

The TC covers RHEL-5032.

---

diff --git a/selinux-policy/restorecond-fcontext-equivalences/main.fmf b/selinux-policy/restorecond-fcontext-equivalences/main.fmf
new file mode 100644
index 0000000..30bd38d
--- /dev/null
+++ b/selinux-policy/restorecond-fcontext-equivalences/main.fmf
@@ -0,0 +1,31 @@
+summary: the restorecond service honors fcontext equivalences
+description: |
+    The restorecond service mislabels files when fcontext equivalences
+    (shipped by the selinux-policy component) are not configured properly.
+test: ./test.sh
+framework: beakerlib
+contact: Milos Malik <mmalik@redhat.com>
+component:
+  - selinux-policy
+recommend:
+  - selinux-policy
+  - policycoreutils
+  - policycoreutils-restorecond
+  - /usr/sbin/service
+duration: 15m
+enabled: true
+tag:
+  - NoRHEL4
+  - NoRHEL5
+  - NoRHEL6
+  - NoRHEL7
+  - failinfedora
+  - targeted
+link:
+  - verifies: https://issues.redhat.com/browse/RHEL-5032
+adjust:
+  - enabled: false
+    when: distro == rhel-4, rhel-5, rhel-6, rhel-7
+    continue: false
+extra-nitrate: TC#0615936
+id: 14b57b44-c644-48fb-a3a1-b4c57da675a6
diff --git a/selinux-policy/restorecond-fcontext-equivalences/test.sh b/selinux-policy/restorecond-fcontext-equivalences/test.sh
new file mode 100755
index 0000000..a820705
--- /dev/null
+++ b/selinux-policy/restorecond-fcontext-equivalences/test.sh
@@ -0,0 +1,29 @@
+#!/bin/bash
+# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+. /usr/share/beakerlib/beakerlib.sh || exit 1
+
+rlJournalStart
+    rlPhaseStartSetup
+        rlAssertRpm selinux-policy
+        rlAssertRpm policycoreutils-restorecond
+        rlServiceStop restorecond
+        rlFileBackup /etc/selinux/restorecond.conf
+        # add locations which are in fact symlinks
+        rlRun "echo -en '\n/bin/*\n/sbin/*\n/lib/*\n/lib64/*\n' >> /etc/selinux/restorecond.conf"
+    rlPhaseEnd
+
+    rlPhaseStartTest "RHEL-5032"
+        rlRun "service restorecond start"
+        rlRun "service restorecond status"
+        rlRun -s "restorecon -Rv /usr/bin /usr/sbin /usr/lib /usr/lib64"
+        rlRun "grep -i 'relabeled.*from.*to' $rlRun_LOG" 1
+        rm -f $rlRun_LOG
+        rlRun "service restorecond stop"
+    rlPhaseEnd
+
+    rlPhaseStartCleanup
+        rlFileRestore
+        rlServiceRestore restorecond
+    rlPhaseEnd
+rlJournalEnd
+