Add some environment checks prior to sepgsql regression testing.

This probably needs more work, but it's a start.

KaiGai Kohei

contrib/sepgsql/Makefile

@@ -5,6 +5,7 @@ OBJS = hooks.o selinux.o label.o dml.o \
 	schema.o relation.o proc.o
 DATA_built = sepgsql.sql
 REGRESS = label dml misc
+REGRESS_PREP = check_selinux_environment
 EXTRA_CLEAN = -r tmp *.pp sepgsql-regtest.if sepgsql-regtest.fc
 
 ifdef USE_PGXS
@@ -20,3 +21,6 @@ endif
 
 SHLIB_LINK += $(filter -lselinux, $(LIBS))
 REGRESS_OPTS += --launcher $(top_builddir)/contrib/sepgsql/launcher
+
+check_selinux_environment:
+	@$(top_builddir)/contrib/sepgsql/chkselinuxenv "$(bindir)" "$(datadir)"

contrib/sepgsql/chkselinuxenv

@@ -0,0 +1,247 @@
+#!/bin/sh
+#
+# SELinux environment checks to ensure configuration of the operating system
+# satisfies prerequisites to run regression test.
+# If incorrect settings are found, this script suggest user a hint.
+#
+PG_BINDIR="$1"
+PG_DATADIR="$2"
+
+echo
+echo "============== checking selinux environment           =============="
+
+#
+# Test.1 - must be launched at unconfined_t domain
+#
+echo -n "test unconfined_t domain      ... "
+
+DOMAIN=`id -Z 2>/dev/null | sed 's/:/ /g' | awk '{print $3}'`
+if [ "${DOMAIN}" != "unconfined_t" ]; then
+    echo "failed"
+    echo
+    echo "This regression test needs to be launched on unconfined_t domain."
+    echo
+    echo "The unconfined_t domain is mostly default domain of users' shell"
+    echo "process. So, we suggest you to revert your special configuration"
+    echo "on your system, as follows:"
+    echo
+    echo "  \$ su -"
+    echo "  # semanage login -d `whoami`"
+    echo
+    echo "Or, add a setting to login as unconfined_t domain"
+    echo
+    echo "  \$ su -"
+    echo "  # semanage login -a -s unconfined_u -r s0-s0:c0.c255 `whoami`"
+    echo
+    exit 1
+fi
+echo "ok"
+
+#
+# Test.2 - 'runcon' must exist and be executable
+#
+echo -n "test runon command            ... "
+
+CMD_RUNCON="`which runcon 2>/dev/null`"
+if [ ! -x "${CMD_RUNCON}" ]; then
+    echo "failed"
+    echo
+    echo "The runcon must exist and be executable; it is internally used to"
+    echo "launch psql command with a particular domain. It is mostly included"
+    echo "within coreutils package. So, our suggestion is to install the latest"
+    echo "version of this package."
+    echo
+    exit 1
+fi
+echo "ok"
+
+#
+# Test.3 - 'sestatus' must exist and be executable
+#
+echo -n "test sestatus command         ... "
+
+CMD_SESTATUS="`which sestatus 2>/dev/null`"
+if [ ! -x "${CMD_SESTATUS}" ]; then
+    echo "failed"
+    echo
+    echo "The sestatus should exist and be executable; it is internally used to"
+    echo "this checks; to show configuration of SELinux. It is mostly included"
+    echo "within policycoreutils package. So, our suggestion is to install the"
+    echo "latest version of this package."
+    echo
+    exit 1
+fi
+echo "ok"
+
+#
+# Test.4 - 'getsebool' must exist and be executable
+#
+echo -n "test getsebool command        ... "
+
+CMD_GETSEBOOL="`which getsebool`"
+if [ ! -x "${CMD_GETSEBOOL}" ]; then
+    echo "failed"
+    echo
+    echo "The getsebool should exist and be executable; it is internally used to"
+    echo "this checks; to show current setting of SELinux boolean variables."
+    echo "It is mostly included within libselinux-utils package. So, our suggestion"
+    echo "is to install the latest version of this package."
+    echo
+    exit 1
+fi
+echo "ok"
+
+#
+# Test.5 - SELinux must be configured to enforcing mode
+#
+echo -n "test enforcing mode           ... "
+
+CURRENT_MODE=`env LANG=C ${CMD_SESTATUS} | grep 'Current mode:' | awk '{print $3}'`
+if [ "${CURRENT_MODE}" != "enforcing" ]; then
+    echo "failed"
+    echo
+    echo "SELinux must be configured to 'enforcing' mode."
+    echo "You can switch SELinux to enforcing mode using setenforce command,"
+    echo "as follows:"
+    echo
+    echo "  \$ su -"
+    echo "  # setenforce 1"
+    echo
+    echo "The system default setting is configured at /etc/selinux/config,"
+    echo "or kernel bool parameter. Please also check it, if you see this"
+    echo "message although you didn't switch to permissive mode."
+    echo
+    exit 1
+fi
+echo "ok"
+
+#
+# Test.6 - 'sepgsql-regtest' policy module must be loaded
+#
+echo -n "test sepgsql-regtest policy   ... "
+
+SELINUX_MNT=`env LANG=C ${CMD_SESTATUS} | grep '^SELinuxfs mount:' | awk '{print $3}'`
+if [ ! -e ${SELINUX_MNT}/booleans/sepgsql_regression_test_mode ]; then
+    echo "failed"
+    echo
+    echo "The 'sepgsql-regtest' policy module must be installed; that provide"
+    echo "a set of special rules for this regression test."
+    echo "You can install this module as follows:"
+    echo
+    echo "  \$ make -f /usr/share/selinux/devel/Makefile -C contrib/selinux"
+    echo "  \$ su"
+    echo "  # semodule -i contrib/sepgsql/sepgsql-regtest.pp"
+    echo
+    echo "Then, you can confirm the policy package being installed, as follows:"
+    echo
+    echo "  # semodule -l | grep sepgsql"
+    echo
+    exit 1
+fi
+echo "ok"
+
+#
+# Test.7 - 'sepgsql_regression_test_mode' must be turned on
+#
+echo -n "test selinux boolean          ... "
+
+if ! ${CMD_GETSEBOOL} sepgsql_regression_test_mode | grep -q ' on$'; then
+    echo "failed"
+    echo
+    echo "The boolean variable of 'sepgsql_regression_test_mode' must be"
+    echo "turned. It affects an internal state of SELinux policy, then"
+    echo "a set of rules to run regression test will be activated."
+    echo "You can turn on this variable as follows:"
+    echo
+    echo "  \$ su -"
+    echo "  # setsebool sepgsql_regression_test_mode 1"
+    echo
+    echo "Also note that we recommend to turn off this variable after the"
+    echo "regression test, because it activates unnecessary rules."
+    echo
+    exit 1
+fi
+echo "ok"
+
+#
+# Test.8 - 'psql' command must be labeled as 'bin_t' type
+#
+echo -n "test label of psql            ... "
+
+CMD_PSQL="${PG_BINDIR}/psql"
+LABEL_PSQL=`stat -c '%C' ${CMD_PSQL} | sed 's/:/ /g' | awk '{print $3}'`
+if [ "${LABEL_PSQL}" != "bin_t" ]; then
+    echo "failed"
+    echo
+    echo "The ${CMD_PSQL} must be labeled as bin_t type."
+    echo "You can assign right label using restorecon, as follows:"
+    echo
+    echo "  \$ su - (not needed, if you owns installation directory)"
+    echo "  # restorecon -R ${PG_BINDIR}"
+    echo
+    echo "Or, using chcon"
+    echo
+    echo "  # chcon -t bin_t ${CMD_PSQL}"
+    echo
+    exit 1
+fi
+echo "ok"
+
+#
+# Test.9 - 'sepgsql' must be installed
+#          and, not configured to permissive mode
+#
+echo -n "test sepgsql installation     ... "
+
+VAL="`${CMD_PSQL} template1 -tc 'SHOW sepgsql.permissive' 2>/dev/null`"
+RETVAL="$?"
+if [ $RETVAL -eq 2 ]; then
+    echo "failed"
+    echo
+    echo "The postgresql server process is not connectable."
+    echo "Please check your installation first, rather than selinux settings."
+    echo
+    exit 1
+elif [ $RETVAL -ne 0 ]; then
+    echo "failed"
+    echo
+    echo "The sepgsql module was not loaded. So, our recommendation is to"
+    echo "confirm 'shared_preload_libraries' setting in postgresql.conf,"
+    echo "then restart server process."
+    echo "It must have '\$libdir/sepgsql' at least."
+    echo
+    exit 1
+elif ! echo "$VAL" | grep -q 'off$'; then
+    echo "failed"
+    echo
+    echo "The GUC variable 'sepgsql.permissive' was set to 'on', although"
+    echo "system configuration is enforcing mode."
+    echo "You should eliminate this setting from postgresql.conf, then"
+    echo "restart server process."
+    echo
+    exit 1
+fi
+echo "ok"
+
+#
+# Test.10 - 'template1' database must be labeled
+#
+echo -n "test template1 database       ... "
+
+NUM=`${CMD_PSQL} template1 -tc 'SELECT count(*) FROM pg_catalog.pg_seclabel' 2>/dev/null`
+if [ -z "${NUM}" -o "$NUM" -eq 0 ]; then
+    echo "failed!"
+    echo
+    echo "Initial labels must be assigned on the 'template1' database; that shall"
+    echo "be copied to the database for regression test."
+    echo "See Installation section of the PostgreSQL documentation."
+    echo
+    exit 1
+fi
+echo "ok"
+
+#
+# check complete - 
+#
+echo
+exit 0

src/makefiles/pgxs.mk

@@ -257,7 +257,7 @@ ifndef PGXS
 endif
 
 # against installed postmaster
-installcheck: submake
+installcheck: submake $(REGRESS_PREP)
 	$(pg_regress_installcheck) $(REGRESS_OPTS) $(REGRESS)
 
 ifdef PGXS
@@ -265,7 +265,7 @@ check:
 	@echo '"$(MAKE) check" is not supported.'
 	@echo 'Do "$(MAKE) install", then "$(MAKE) installcheck" instead.'
 else
-check: all submake
+check: all submake $(REGRESS_PREP)
 	$(pg_regress_check) --extra-install=$(subdir) $(REGRESS_OPTS) $(REGRESS)
 endif
 endif # REGRESS