Re: sepgsql seems rather thoroughly broken on Fedora 30

Mike Palmiotto Fri, 19 Jul 2019 12:55:52 -0700

On Fri, Jul 19, 2019 at 11:19 AM Tom Lane <t...@sss.pgh.pa.us> wrote:
>
> I got around to trying this, and lookee here:
>
> $ sudo sesearch -A -s sepgsql_regtest_user_t -t passwd_file_t
> allow domain file_type:blk_file map; [ domain_can_mmap_files ]:True
> allow domain file_type:chr_file map; [ domain_can_mmap_files ]:True
> allow domain file_type:file map; [ domain_can_mmap_files ]:True
> allow domain file_type:lnk_file map; [ domain_can_mmap_files ]:True
>
> Nothing about passwd_file_t.  So *something* is different about the
> way the policy is being expanded.


Okay, I was finally able to replicate the issue (and fix it). It looks
like perhaps the userdom_base_user_template changed and no longer
allows reading of passwd_file_t? At any rate, I added some policy to
ensure that we have the proper permissions.

I also beefed up the test script a bit so it now:
- installs the SELinux policy module
- spins up a temporary cluster to muddy postgresql.conf and run the
setup sql in an isolated environment

We probably need to polish this a bit more, but what do you think
about something similar to the attached patches? They should hopefully
reduce some of the complexity of running these regression tests.







--
Mike Palmiotto
Software Engineer
Crunchy Data Solutions
https://crunchydata.com

From 7f22a9d40ab5ad5334351932bd9010f538ba222a Mon Sep 17 00:00:00 2001
From: Mike Palmiotto <mike.palmio...@crunchydata.com>
Date: Fri, 19 Jul 2019 14:15:23 -0400
Subject: [PATCH 1/2] Make sepgsql-regtest policy module less error-prone

---
 contrib/sepgsql/sepgsql-regtest.te | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/contrib/sepgsql/sepgsql-regtest.te b/contrib/sepgsql/sepgsql-regtest.te
index e5d65243e6..5d9af1a0dd 100644
--- a/contrib/sepgsql/sepgsql-regtest.te
+++ b/contrib/sepgsql/sepgsql-regtest.te
@@ -31,6 +31,9 @@ userdom_base_user_template(sepgsql_regtest_superuser)
 userdom_manage_home_role(sepgsql_regtest_superuser_r, sepgsql_regtest_superuser_t)
 userdom_exec_user_home_content_files(sepgsql_regtest_superuser_t)
 userdom_write_user_tmp_sockets(sepgsql_regtest_superuser_t)
+
+auth_read_passwd(sepgsql_regtest_superuser_t)
+
 optional_policy(`
 	postgresql_stream_connect(sepgsql_regtest_superuser_t)
 	postgresql_unconfined(sepgsql_regtest_superuser_t)
@@ -60,6 +63,9 @@ userdom_base_user_template(sepgsql_regtest_dba)
 userdom_manage_home_role(sepgsql_regtest_dba_r, sepgsql_regtest_dba_t)
 userdom_exec_user_home_content_files(sepgsql_regtest_dba_t)
 userdom_write_user_tmp_sockets(sepgsql_regtest_user_t)
+
+auth_read_passwd(sepgsql_regtest_dba_t)
+
 optional_policy(`
 	postgresql_admin(sepgsql_regtest_dba_t, sepgsql_regtest_dba_r)
 	postgresql_stream_connect(sepgsql_regtest_dba_t)
@@ -98,6 +104,9 @@ userdom_base_user_template(sepgsql_regtest_user)
 userdom_manage_home_role(sepgsql_regtest_user_r, sepgsql_regtest_user_t)
 userdom_exec_user_home_content_files(sepgsql_regtest_user_t)
 userdom_write_user_tmp_sockets(sepgsql_regtest_user_t)
+
+auth_read_passwd(sepgsql_regtest_user_t)
+
 optional_policy(`
 	postgresql_role(sepgsql_regtest_user_r, sepgsql_regtest_user_t)
 	postgresql_stream_connect(sepgsql_regtest_user_t)
@@ -126,6 +135,8 @@ userdom_manage_home_role(sepgsql_regtest_pool_r, sepgsql_regtest_pool_t)
 userdom_exec_user_home_content_files(sepgsql_regtest_pool_t)
 userdom_write_user_tmp_sockets(sepgsql_regtest_pool_t)
 
+auth_read_passwd(sepgsql_regtest_pool_t)
+
 type sepgsql_regtest_foo_t;
 type sepgsql_regtest_var_t;
 type sepgsql_regtest_foo_table_t;
-- 
2.21.0

From 53fb4c662347311ef6e21ca4c82b64c358f2096b Mon Sep 17 00:00:00 2001
From: Mike Palmiotto <mike.palmio...@crunchydata.com>
Date: Fri, 19 Jul 2019 14:29:22 -0400
Subject: [PATCH 2/2] Add sandboxed cluster for sepgsql regression tests

---
 contrib/sepgsql/test_sepgsql | 47 ++++++++++++++++++++++++++++++++----
 1 file changed, 42 insertions(+), 5 deletions(-)

diff --git a/contrib/sepgsql/test_sepgsql b/contrib/sepgsql/test_sepgsql
index 7530363d2c..d14a1c28bc 100755
--- a/contrib/sepgsql/test_sepgsql
+++ b/contrib/sepgsql/test_sepgsql
@@ -15,7 +15,43 @@
 PG_BINDIR=`pg_config --bindir`
 
 # we must move to contrib/sepgsql directory to run pg_regress correctly
-cd `dirname $0`
+cd `dirname $0` || exit 1
+
+# Shut down existing test cluster and delete tmp directory if we have it
+if [ -d tmp/ ]; then
+    # Make sure we don't have a lingering regression test cluster installed
+    $PG_BINDIR/pg_ctl -D tmp -o "-p 15432" stop
+
+    sudo rm -rf tmp/
+fi
+
+# Iniitalize our test environment
+if ! $PG_BINDIR/pg_ctl initdb -D tmp; then
+    echo "test cluster initdb error"
+    exit 1
+fi
+
+echo "shared_preload_libraries = 'sepgsql'" >> tmp/postgresql.conf
+
+for DBNAME in template0 template1 postgres;
+do
+    $PG_BINDIR/postgres --single -F -c exit_on_error=true -p 15432 -D tmp/ $DBNAME \
+    < sepgsql.sql > /dev/null
+done
+
+# Reload the policy module
+if ! sudo make -f /usr/share/selinux/devel/Makefile reload; then
+    echo "policy reload error"
+    echo ""
+    echo "Unable to build sepgsql-regtest policy module."
+    echo "Please check that you have the selinux policy source installed."
+    echo "The development source is typically included in selinux-policy-devel package."
+    exit 1
+fi
+
+if ! $PG_BINDIR/pg_ctl --log=tmp/sepgsql.log -D tmp -o "-p 15432" start; then
+    exit 1
+fi
 
 echo
 echo "============== checking selinux environment           =============="
@@ -139,7 +175,7 @@ fi
 echo "ok"
 
 # Verify that sepgsql_regression_test_mode is active.
-echo -n "checking whether policy is enabled  ... "
+echo -n "checking whether sepgsql_regression_test_mode policy boolean is enabled  ... "
 POLICY_STATUS=`getsebool sepgsql_regression_test_mode | awk '{print $3}'`
 echo ${POLICY_STATUS:-failed}
 if [ "${POLICY_STATUS}" != on ]; then
@@ -166,6 +202,7 @@ if [ "${POLICY_STATUS}" != on ]; then
     exit 1
 fi
 POLICY_STATUS=`getsebool sepgsql_enable_users_ddl | awk '{print $3}'`
+echo -n "checking whether sepgsql_enable_users_ddl policy boolean is enabled  ... "
 echo ${POLICY_STATUS:-failed}
 if [ "${POLICY_STATUS}" != on ]; then
     echo ""
@@ -233,7 +270,7 @@ echo "ok"
 
 # loadable module must be installed and not configured to permissive mode
 echo -n "checking sepgsql installation       ... "
-VAL="`${CMD_PSQL} -X -t -c 'SHOW sepgsql.permissive' template1 2>/dev/null`"
+VAL="`${CMD_PSQL} -p 15432 -X -t -c 'SHOW sepgsql.permissive' template1 2>/dev/null`"
 RETVAL="$?"
 if [ $RETVAL -eq 2 ]; then
     echo "failed"
@@ -266,7 +303,7 @@ echo "ok"
 # NOTE: this test is wrong; we really ought to be checking template0.
 # But we can't connect to that without extra pushups, and it's not worth it.
 echo -n "checking for labels in template1    ... "
-NUM=`${CMD_PSQL} -XAt -c 'SELECT count(*) FROM pg_catalog.pg_seclabel' template1 2>/dev/null`
+NUM=`${CMD_PSQL} -p 15432 -XAt -c 'SELECT count(*) FROM pg_catalog.pg_seclabel' template1 2>/dev/null`
 if [ -z "${NUM}" ]; then
     echo "failed"
     echo ""
@@ -287,6 +324,6 @@ echo "found ${NUM}"
 echo
 echo "============== running sepgsql regression tests       =============="
 
-make REGRESS="label dml ddl alter misc" REGRESS_OPTS="--launcher ./launcher" installcheck
+make REGRESS="label dml ddl alter misc" REGRESS_OPTS="--port=15432 --launcher ./launcher" installcheck
 
 # exit with the exit code provided by "make"
-- 
2.21.0

Re: sepgsql seems rather thoroughly broken on Fedora 30

Reply via email to