I fixed up the security policy for regression test, and chkselinuxenv script.
The revised security policy allows test domains to execute programs
being installed under home directories.
In addition, the revised chkselinuxenv newly checks necessary commands
to run this script itself, and changed the way to validate executability of
psql command. (The point of this test is whether the psql is executable
by sepgsql_regtest_user_t, or not. So, bin_t is not a criteria to fail the
script.)
Thanks,
2011/8/18 Kohei Kaigai <kohei.kai...@emea.nec.com>:
>> OK, I'm giving up for now. I hit two more snags:
>>
>> 1. chkselinuxenv uses "which", and a Fedora 15 minimal install doesn't
>> include that. I fixed that by installing "which", but maybe we ought
>> to be looking for a way to eliminate that dependency, like testing for
>> the commands you need by running them with --help, or something like
>> that.
>>
> Oops, I thought "which" is a part of coreutils.
>
> I'll try to update chkselinuxenv to print a help message when necessary
> commands are not installed.
>
>> 2. restorecon doesn't correctly set the permissions for me on
>> ~/project/bin/psql. I get:
>>
>> [rhaas@f15selinux sepgsql]$ ls -Z ~/project/bin/psql
>> -rwxr-xr-x. rhaas rhaas unconfined_u:object_r:user_home_t:s0
>> /home/rhaas/project/bin/psql
>>
>> Now I can fix that by applying bin_t manually, as suggested in the
>> documentation. However, that just moves the failure to library load
>> time. regression.diffs has multiple copies of this error message:
>>
>> /home/rhaas/project/bin/psql: error while loading shared libraries:
>> libpq.so.5: failed to map segment from shared object: Permission
>> denied
>>
> I guess it tries to mmap(2) libpq.so.5 (labeled as user_home_t) with
> executable mode.
> The regression test switches domain of psql command on its execution from
> "unconfined_t" to "sepgsql_regtest_user_t", however, I didn't allow this
> domain to mmap(2) files in user's home directory with executable mode.
> It may need to revise the security policy of regression test to support
> installation onto home directory.
>
> As a quick avoidance, how about --prefix=/usr/local/sepgsql instead?
>
> Thanks,
> --
> NEC Europe Ltd, SAP Global Competence Center
> KaiGai Kohei <kohei.kai...@emea.nec.com>
>
>
>> -----Original Message-----
>> From: Robert Haas [mailto:robertmh...@gmail.com]
>> Sent: 18. August 2011 18:22
>> To: Kohei Kaigai
>> Cc: Yeb Havinga; PgHacker; Kohei KaiGai
>> Subject: Re: [HACKERS] [v9.1] sepgsql - userspace access vector cache
>>
>> On Thu, Aug 18, 2011 at 1:00 PM, Robert Haas <robertmh...@gmail.com> wrote:
>> > [more problems]
>>
>> OK, I'm giving up for now. I hit two more snags:
>>
>> 1. chkselinuxenv uses "which", and a Fedora 15 minimal install doesn't
>> include that. I fixed that by installing "which", but maybe we ought
>> to be looking for a way to eliminate that dependency, like testing for
>> the commands you need by running them with --help, or something like
>> that.
>>
>> 2. restorecon doesn't correctly set the permissions for me on
>> ~/project/bin/psql. I get:
>>
>> [rhaas@f15selinux sepgsql]$ ls -Z ~/project/bin/psql
>> -rwxr-xr-x. rhaas rhaas unconfined_u:object_r:user_home_t:s0
>> /home/rhaas/project/bin/psql
>>
>> Now I can fix that by applying bin_t manually, as suggested in the
>> documentation. However, that just moves the failure to library load
>> time. regression.diffs has multiple copies of this error message:
>>
>> /home/rhaas/project/bin/psql: error while loading shared libraries:
>> libpq.so.5: failed to map segment from shared object: Permission
>> denied
>>
>> Help!
>>
>> Thanks,
>>
>> --
>> Robert Haas
>> EnterpriseDB: http://www.enterprisedb.com
>> The Enterprise PostgreSQL Company
>>
>>
>> Click
>> https://www.mailcontrol.com/sr/g7UEZIfD10rTndxI!oX7Unz1!gA0DCbilsfI53CIRke!PbNpuk4RnjmGfZ8cEe1DM1
>> BV3YJKcc9jEfBJ2k7YZA== to report this email as spam.
>
--
KaiGai Kohei <kai...@kaigai.gr.jp>
contrib/sepgsql/chkselinuxenv | 68 ++++++++++++++++++++++++++++++------
contrib/sepgsql/sepgsql-regtest.te | 4 ++-
2 files changed, 60 insertions(+), 12 deletions(-)
diff --git a/contrib/sepgsql/chkselinuxenv b/contrib/sepgsql/chkselinuxenv
index 0be17ab..76e41d1 100755
--- a/contrib/sepgsql/chkselinuxenv
+++ b/contrib/sepgsql/chkselinuxenv
@@ -4,11 +4,43 @@
# satisfies prerequisites to run regression test.
# If incorrect settings are found, this script suggest user a hint.
#
+# NOTE:
+# This script assumes the following commands are already installed:
+# /bin/sh, sed, awk, coreutils (id, test, echo, ...)
+# If not installed, please set up them first.
+#
PG_BINDIR="$1"
PG_DATADIR="$2"
echo
echo "============== checking selinux environment =============="
+#
+# Test.0 - necessary commands for environment checks
+#
+echo -n "test installed commans ... "
+if ! which --help >&/dev/null; then
+ echo "failed"
+ echo
+ echo "'which' command was not found, executable or installed."
+ echo "Please make sure your PATH, or install this command at first."
+ echo
+ echo "If yum is available on your system, it will suggest packages"
+ echo "to be installed:"
+ echo " # yum provides which"
+ exit 1
+fi
+if ! matchpathcon -n / >&/dev/null; then
+ echo "failed"
+ echo
+ echo "'matchpathcon' command was not found, executable or installed."
+ echo "Please make sure your PATH, or install this command at first."
+ echo
+ echo "If yum is available on your system, it will suggest packages"
+ echo "to be installed:"
+ echo " # yum provides which"
+ exit 1
+fi
+echo "ok"
#
# Test.1 - must be launched at unconfined_t domain
@@ -164,24 +196,38 @@ fi
echo "ok"
#
-# Test.8 - 'psql' command must be labeled as 'bin_t' type
+# Test.8 - 'psql' command must be executable by test domain
#
-echo -n "test label of psql ... "
+echo -n "test execution of psql ... "
CMD_PSQL="${PG_BINDIR}/psql"
-LABEL_PSQL=`stat -c '%C' ${CMD_PSQL} | sed 's/:/ /g' | awk '{print $3}'`
-if [ "${LABEL_PSQL}" != "bin_t" ]; then
+${CMD_RUNCON} -t sepgsql_regtest_user_t ${CMD_PSQL} --help >& /dev/null
+if [ $? -ne 0 ]; then
echo "failed"
echo
- echo "The ${CMD_PSQL} must be labeled as bin_t type."
- echo "You can assign right label using restorecon, as follows:"
+ echo "The ${CMD_PSQL} must be executable by sepgsql_regtest_user_t"
+ echo "domain. It has restricted privileges compared to unconfined_t,"
+ echo "so you should ensure whether this command is labeled correctly."
echo
echo " \$ su - (not needed, if you owns installation directory)"
- echo " # restorecon -R ${PG_BINDIR}"
- echo
- echo "Or, using chcon"
- echo
- echo " # chcon -t bin_t ${CMD_PSQL}"
+ EXPECT_PSQL=`matchpathcon -n ${CMD_PSQL} | sed 's/:/ /g' | awk '{print $3}'`
+ if [ "${EXPECT_PSQL}" = "user_home_t" ]; then
+ ## Case of installation on /home directory
+ echo " # restorecon -R ${PG_BINDIR}"
+ echo
+ echo "Or, using chcon"
+ echo
+ echo " # chcon -t user_home_t ${CMD_PSQL}"
+ else
+ echo " \$ su - (not needed, if you owns installation directory)"
+ if [ "${EXPECT_PSQL}" = "bin_t" ]; then
+ echo " # restorecon -R ${PG_BINDIR}"
+ echo
+ echo "Or, using chcon"
+ echo
+ fi
+ echo " # chcon -t user_home_t ${CMD_PSQL}"
+ fi
echo
exit 1
fi
diff --git a/contrib/sepgsql/sepgsql-regtest.te b/contrib/sepgsql/sepgsql-regtest.te
index 3b1def7..a8fe247 100644
--- a/contrib/sepgsql/sepgsql-regtest.te
+++ b/contrib/sepgsql/sepgsql-regtest.te
@@ -1,4 +1,4 @@
-policy_module(sepgsql-regtest, 1.02)
+policy_module(sepgsql-regtest, 1.03)
gen_require(`
all_userspace_class_perms
@@ -24,6 +24,7 @@ postgresql_procedure_object(sepgsql_regtest_trusted_proc_exec_t)
role sepgsql_regtest_dba_r;
userdom_base_user_template(sepgsql_regtest_dba)
userdom_manage_home_role(sepgsql_regtest_dba_r, sepgsql_regtest_dba_t)
+userdom_exec_user_home_content_files(sepgsql_regtest_dba_t)
userdom_write_user_tmp_sockets(sepgsql_regtest_user_t)
optional_policy(`
postgresql_admin(sepgsql_regtest_dba_t, sepgsql_regtest_dba_r)
@@ -40,6 +41,7 @@ optional_policy(`
role sepgsql_regtest_user_r;
userdom_base_user_template(sepgsql_regtest_user)
userdom_manage_home_role(sepgsql_regtest_user_r, sepgsql_regtest_user_t)
+userdom_exec_user_home_content_files(sepgsql_regtest_user_t)
userdom_write_user_tmp_sockets(sepgsql_regtest_user_t)
optional_policy(`
postgresql_role(sepgsql_regtest_user_r, sepgsql_regtest_user_t)
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
