mirror of
				https://github.com/postgres/postgres.git
				synced 2025-10-24 00:03:18 -04:00 
			
		
		
		
	Use SELinux "db_table: { truncate }" to check if permission is granted to
TRUNCATE. Update example SELinux policy to grant needed permission for
TRUNCATE. Add new regression test to demonstrate a positive and negative
cases. Test will only be run if the loaded SELinux policy has the
"db_table: { truncate }" permission. Makes use of recent commit which added
object TRUNCATE hook. Patch by Yuli Khodorkovskiy with minor
editorialization by me. Not back-patched because the object TRUNCATE hook
was not.
Author: Yuli Khodorkovskiy
Reviewed-by: Joe Conway
Discussion: https://postgr.es/m/CAFL5wJcomybj1Xdw7qWmPJRpGuFukKgNrDb6uVBaCMgYS9dkaA%40mail.gmail.com
		
	
			
		
			
				
	
	
		
			307 lines
		
	
	
		
			10 KiB
		
	
	
	
		
			Bash
		
	
	
		
			Executable File
		
	
	
	
	
			
		
		
	
	
			307 lines
		
	
	
		
			10 KiB
		
	
	
	
		
			Bash
		
	
	
		
			Executable File
		
	
	
	
	
| #!/bin/sh
 | |
| #
 | |
| # Run the sepgsql regression tests, after making a lot of environmental checks
 | |
| # to try to ensure that the SELinux environment is set up appropriately and
 | |
| # the database is configured correctly.
 | |
| #
 | |
| # Note that this must be run against an installed Postgres database.
 | |
| # There's no equivalent of "make check", and that wouldn't be terribly useful
 | |
| # since much of the value is in checking that you installed sepgsql into
 | |
| # your database correctly.
 | |
| #
 | |
| # This must be run in the contrib/sepgsql directory of a Postgres build tree.
 | |
| #
 | |
| 
 | |
| PG_BINDIR=`pg_config --bindir`
 | |
| 
 | |
| # we must move to contrib/sepgsql directory to run pg_regress correctly
 | |
| cd `dirname $0`
 | |
| 
 | |
| echo
 | |
| echo "============== checking selinux environment           =============="
 | |
| 
 | |
| # matchpathcon must be present to assess whether the installation environment
 | |
| # is OK.
 | |
| echo -n "checking for matchpathcon           ... "
 | |
| if ! matchpathcon -n . >/dev/null 2>&1; then
 | |
|     echo "not found"
 | |
|     echo ""
 | |
|     echo "The matchpathcon command must be available."
 | |
|     echo "Please install it or update your PATH to include it"
 | |
|     echo "(it is typically in '/usr/sbin', which might not be in your PATH)."
 | |
|     echo "matchpathcon is typically included in the libselinux-utils package."
 | |
|     exit 1
 | |
| fi
 | |
| echo "ok"
 | |
| 
 | |
| # runcon must be present to launch psql using the correct environment
 | |
| echo -n "checking for runcon                 ... "
 | |
| if ! runcon --help >/dev/null 2>&1; then
 | |
|     echo "not found"
 | |
|     echo ""
 | |
|     echo "The runcon command must be available."
 | |
|     echo "runcon is typically included in the coreutils package."
 | |
|     echo ""
 | |
|     exit 1
 | |
| fi
 | |
| echo "ok"
 | |
| 
 | |
| # check sestatus too, since that lives in yet another package
 | |
| echo -n "checking for sestatus               ... "
 | |
| if ! sestatus >/dev/null 2>&1; then
 | |
|     echo "not found"
 | |
|     echo ""
 | |
|     echo "The sestatus command must be available."
 | |
|     echo "sestatus is typically included in the policycoreutils package."
 | |
|     echo ""
 | |
|     exit 1
 | |
| fi
 | |
| echo "ok"
 | |
| 
 | |
| # check that the user is running in the unconfined_t domain
 | |
| echo -n "checking current user domain        ... "
 | |
| DOMAIN=`id -Z 2>/dev/null | sed 's/:/ /g' | awk '{print $3}'`
 | |
| echo ${DOMAIN:-failed}
 | |
| if [ "${DOMAIN}" != unconfined_t ]; then
 | |
|     echo ""
 | |
|     echo "The regression tests must be launched from the unconfined_t domain."
 | |
|     echo ""
 | |
|     echo "The unconfined_t domain is typically the default domain for user"
 | |
|     echo "shell processes.  If the default has been changed on your system,"
 | |
|     echo "you can revert the changes like this:"
 | |
|     echo ""
 | |
|     echo "  \$ sudo semanage login -d `whoami`"
 | |
|     echo ""
 | |
|     echo "Or, you can add a setting to log in using the unconfined_t domain:"
 | |
|     echo ""
 | |
|     echo "  \$ sudo semanage login -a -s unconfined_u -r s0-s0:c0.c255 `whoami`"
 | |
|     echo ""
 | |
|     exit 1
 | |
| fi
 | |
| 
 | |
| # SELinux must be configured in enforcing mode
 | |
| echo -n "checking selinux operating mode     ... "
 | |
| CURRENT_MODE=`LANG=C sestatus | grep '^Current mode:' | awk '{print $3}'`
 | |
| echo ${CURRENT_MODE:-failed}
 | |
| if [ "${CURRENT_MODE}" = enforcing ]; then
 | |
|     : OK
 | |
| elif [ "${CURRENT_MODE}" = permissive -o "${CURRENT_MODE}" = disabled ]; then
 | |
|     echo ""
 | |
|     echo "Before running the regression tests, SELinux must be enabled and"
 | |
|     echo "must be running in enforcing mode."
 | |
|     echo ""
 | |
|     echo "If SELinux is currently running in permissive mode, you can"
 | |
|     echo "switch to enforcing mode using the 'setenforce' command."
 | |
|     echo
 | |
|     echo "  \$ sudo setenforce 1"
 | |
|     echo ""
 | |
|     echo "The system default setting is configured in /etc/selinux/config,"
 | |
|     echo "or using a kernel boot parameter."
 | |
|     echo ""
 | |
|     exit 1
 | |
| else
 | |
|     echo ""
 | |
|     echo "Unable to determine the current selinux operating mode.  Please"
 | |
|     echo "verify that the sestatus command is installed and in your PATH."
 | |
|     echo ""
 | |
|     exit 1
 | |
| fi
 | |
| 
 | |
| # 'sepgsql-regtest' policy module must be loaded
 | |
| echo -n "checking for sepgsql-regtest policy ... "
 | |
| SELINUX_MNT=`LANG=C sestatus | grep '^SELinuxfs mount:' | awk '{print $3}'`
 | |
| if [ "$SELINUX_MNT" = "" ]; then
 | |
|     echo "failed"
 | |
|     echo ""
 | |
|     echo "Unable to find SELinuxfs mount point."
 | |
|     echo ""
 | |
|     echo "The sestatus command should report the location where SELinuxfs"
 | |
|     echo "is mounted, but did not do so."
 | |
|     echo ""
 | |
|     exit 1
 | |
| fi
 | |
| if [ ! -e "${SELINUX_MNT}/booleans/sepgsql_regression_test_mode" ]; then
 | |
|     echo "failed"
 | |
|     echo ""
 | |
|     echo "The 'sepgsql-regtest' policy module appears not to be installed."
 | |
|     echo "Without this policy installed, the regression tests will fail."
 | |
|     echo "You can install this module using the following commands:"
 | |
|     echo ""
 | |
|     echo "  \$ make -f /usr/share/selinux/devel/Makefile"
 | |
|     echo "  \$ sudo semodule -u sepgsql-regtest.pp"
 | |
|     echo ""
 | |
|     echo "To confirm that the policy package is installed, use this command:"
 | |
|     echo ""
 | |
|     echo "  \$ sudo semodule -l | grep sepgsql"
 | |
|     echo ""
 | |
|     exit 1
 | |
| fi
 | |
| echo "ok"
 | |
| 
 | |
| # Verify that sepgsql_regression_test_mode is active.
 | |
| echo -n "checking whether policy is enabled  ... "
 | |
| POLICY_STATUS=`getsebool sepgsql_regression_test_mode | awk '{print $3}'`
 | |
| echo ${POLICY_STATUS:-failed}
 | |
| if [ "${POLICY_STATUS}" != on ]; then
 | |
|     echo ""
 | |
|     echo "The SELinux boolean 'sepgsql_regression_test_mode' must be"
 | |
|     echo "turned on in order to enable the rules necessary to run the"
 | |
|     echo "regression tests."
 | |
|     echo ""
 | |
|     if [ "${POLICY_STATUS}" = "" ]; then
 | |
|         echo "We attempted to determine the state of this Boolean using"
 | |
|         echo "'getsebool', but that command did not produce the expected"
 | |
|         echo "output.  Please verify that getsebool is available and in"
 | |
|         echo "your PATH."
 | |
|     else
 | |
|         echo "You can turn on this variable using the following commands:"
 | |
|         echo ""
 | |
|         echo "  \$ sudo setsebool sepgsql_regression_test_mode on"
 | |
|         echo ""
 | |
|         echo "For security reasons, it is suggested that you turn off this"
 | |
|         echo "variable when regression testing is complete and the associated"
 | |
|         echo "rules are no longer needed."
 | |
|     fi
 | |
|     echo ""
 | |
|     exit 1
 | |
| fi
 | |
| POLICY_STATUS=`getsebool sepgsql_enable_users_ddl | awk '{print $3}'`
 | |
| echo ${POLICY_STATUS:-failed}
 | |
| if [ "${POLICY_STATUS}" != on ]; then
 | |
|     echo ""
 | |
|     echo "The SELinux boolean 'sepgsql_enable_users_ddl' must be"
 | |
|     echo "turned on in order to enable the rules necessary to run"
 | |
|     echo "the regression tests."
 | |
|     echo ""
 | |
|     if [ "${POLICY_STATUS}" = "" ]; then
 | |
|         echo "We attempted to determine the state of this Boolean using"
 | |
|         echo "'getsebool', but that command did not produce the expected"
 | |
|         echo "output.  Please verify that getsebool is available and in"
 | |
|         echo "your PATH."
 | |
|     else
 | |
|         echo "You can turn on this variable using the following commands:"
 | |
|         echo ""
 | |
|         echo "  \$ sudo setsebool sepgsql_enable_users_ddl on"
 | |
|         echo ""
 | |
|         echo "For security reasons, it is suggested that you turn off this"
 | |
|         echo "variable when regression testing is complete, unless you"
 | |
|         echo "don't want to allow unprivileged users DDL commands."
 | |
|     fi
 | |
|     echo ""
 | |
|     exit 1
 | |
| fi
 | |
| 
 | |
| # 'psql' command must be executable from test domain
 | |
| echo -n "checking whether we can run psql    ... "
 | |
| CMD_PSQL="${PG_BINDIR}/psql"
 | |
| if [ ! -e "${CMD_PSQL}" ]; then
 | |
|     echo "not found"
 | |
|     echo
 | |
|     echo "${CMD_PSQL} was not found."
 | |
|     echo "Check your PostgreSQL installation."
 | |
|     echo
 | |
|     exit 1
 | |
| fi
 | |
| runcon -t sepgsql_regtest_user_t "${CMD_PSQL}" --help >& /dev/null
 | |
| if [ $? -ne 0 ]; then
 | |
|     echo "failed"
 | |
|     echo
 | |
|     echo "${CMD_PSQL} must be executable from the"
 | |
|     echo "sepgsql_regtest_user_t domain. That domain has restricted privileges"
 | |
|     echo "compared to unconfined_t, so the problem may be the psql file's"
 | |
|     echo "SELinux label. Try"
 | |
|     echo
 | |
|     PSQL_T=`matchpathcon -n "${CMD_PSQL}" | sed 's/:/ /g' | awk '{print $3}'`
 | |
|     if [ "${PSQL_T}" = "user_home_t" ]; then
 | |
|         # Installation appears to be in /home directory
 | |
|         echo "  \$ sudo restorecon -R ${PG_BINDIR}"
 | |
|         echo
 | |
|         echo "Or, using chcon"
 | |
|         echo
 | |
|         echo "  \$ sudo chcon -t user_home_t ${CMD_PSQL}"
 | |
|     else
 | |
|         echo "  \$ sudo restorecon -R ${PG_BINDIR}"
 | |
|         echo
 | |
|         echo "Or, using chcon"
 | |
|         echo
 | |
|         echo "  \$ sudo chcon -t bin_t ${CMD_PSQL}"
 | |
|     fi
 | |
|     echo
 | |
|     exit 1
 | |
| fi
 | |
| echo "ok"
 | |
| 
 | |
| # loadable module must be installed and not configured to permissive mode
 | |
| echo -n "checking sepgsql installation       ... "
 | |
| VAL="`${CMD_PSQL} -X -t -c 'SHOW sepgsql.permissive' template1 2>/dev/null`"
 | |
| RETVAL="$?"
 | |
| if [ $RETVAL -eq 2 ]; then
 | |
|     echo "failed"
 | |
|     echo ""
 | |
|     echo "Could not connect to the database server."
 | |
|     echo "Please check your PostgreSQL installation."
 | |
|     echo ""
 | |
|     exit 1
 | |
| elif [ $RETVAL -ne 0 ]; then
 | |
|     echo "failed"
 | |
|     echo ""
 | |
|     echo "The sepgsql module does not appear to be loaded.  Please verify"
 | |
|     echo "that the 'shared_preload_libraries' setting in postgresql.conf"
 | |
|     echo "includes 'sepgsql', and then restart the server."
 | |
|     echo ""
 | |
|     echo "See Installation section of the contrib/sepgsql documentation."
 | |
|     echo ""
 | |
|     exit 1
 | |
| elif ! echo "$VAL" | grep -q 'off$'; then
 | |
|     echo "failed"
 | |
|     echo ""
 | |
|     echo "The parameter 'sepgsql.permissive' is set to 'on'.  It must be"
 | |
|     echo "turned off before running the regression tests."
 | |
|     echo ""
 | |
|     exit 1
 | |
| fi
 | |
| echo "ok"
 | |
| 
 | |
| # template1 database must be labeled
 | |
| # NOTE: this test is wrong; we really ought to be checking template0.
 | |
| # But we can't connect to that without extra pushups, and it's not worth it.
 | |
| echo -n "checking for labels in template1    ... "
 | |
| NUM=`${CMD_PSQL} -XAt -c 'SELECT count(*) FROM pg_catalog.pg_seclabel' template1 2>/dev/null`
 | |
| if [ -z "${NUM}" ]; then
 | |
|     echo "failed"
 | |
|     echo ""
 | |
|     echo "In order to test sepgsql, initial labels must be assigned within"
 | |
|     echo "the 'template1' database.  These labels will be copied into the"
 | |
|     echo "regression test database."
 | |
|     echo ""
 | |
|     echo "See Installation section of the contrib/sepgsql documentation."
 | |
|     echo ""
 | |
|     exit 1
 | |
| fi
 | |
| echo "found ${NUM}"
 | |
| 
 | |
| #
 | |
| # checking complete - let's run the tests
 | |
| #
 | |
| 
 | |
| echo
 | |
| echo "============== running sepgsql regression tests       =============="
 | |
| 
 | |
| tests="label dml ddl alter misc"
 | |
| 
 | |
| # Check if the truncate permission exists in the loaded policy, and if so,
 | |
| # run the truncate test
 | |
| #
 | |
| # Testing the TRUNCATE regression test can be done by manually adding
 | |
| # the permission with CIL if necessary:
 | |
| #     sudo semodule -cE base
 | |
| #     sudo sed -i -E 's/(class db_table.*?) \)/\1 truncate\)/' base.cil
 | |
| #     sudo semodule -i base.cil
 | |
| 
 | |
| if [ -f /sys/fs/selinux/class/db_table/perms/truncate ]; then
 | |
| 	tests+=" truncate"
 | |
| fi
 | |
| 
 | |
| make REGRESS="$tests" REGRESS_OPTS="--launcher ./launcher" installcheck
 | |
| # exit with the exit code provided by "make"
 |