Re: [HACKERS] One question about security label command

Adam Brightwell Tue, 17 Mar 2015 11:24:13 -0700

>
> The attached patch fixes the policy module of regression test.
> However, I also think we may stop to rely permission set of pre-defined
> selinux domains. Instead of pre-defined one, sepgsql-regtest.te may be
> ought to define own domain with appropriate permission set independent
> from the base selinux-policy version.
>


I have applied this patch and ran the tests.  All seems to work except that
I have a minor error in the 'label' regression tests.  It is simply a
result order issue, modifying the expected order in my environment resolves
the issue.  I have attached the 'regression.diffs' for reference as well,
FWIW, I have also attached a patch that corrects this issue for me,
hopefully it is useful.

-Adam

-- 
Adam Brightwell - adam.brightw...@crunchydatasolutions.com
Database Engineer - www.crunchydatasolutions.com

diff --git a/contrib/sepgsql/expected/label.out b/contrib/sepgsql/expected/label.out
new file mode 100644
index 9d1f904..d41eb48
*** a/contrib/sepgsql/expected/label.out
--- b/contrib/sepgsql/expected/label.out
*************** SELECT objtype, objname, label FROM pg_s
*** 82,106 ****
  (3 rows)
  
  SELECT objtype, objname, label FROM pg_seclabels
!     WHERE provider = 'selinux' AND objtype = 'column' AND (objname like 't3.%' OR objname like 't4.%');
   objtype |   objname   |                     label                     
  ---------+-------------+-----------------------------------------------
-  column  | t3.t        | unconfined_u:object_r:user_sepgsql_table_t:s0
-  column  | t3.s        | unconfined_u:object_r:user_sepgsql_table_t:s0
-  column  | t3.ctid     | unconfined_u:object_r:user_sepgsql_table_t:s0
-  column  | t3.xmin     | unconfined_u:object_r:user_sepgsql_table_t:s0
-  column  | t3.cmin     | unconfined_u:object_r:user_sepgsql_table_t:s0
-  column  | t3.xmax     | unconfined_u:object_r:user_sepgsql_table_t:s0
   column  | t3.cmax     | unconfined_u:object_r:user_sepgsql_table_t:s0
   column  | t3.tableoid | unconfined_u:object_r:user_sepgsql_table_t:s0
!  column  | t4.n        | unconfined_u:object_r:sepgsql_table_t:s0
!  column  | t4.m        | unconfined_u:object_r:sepgsql_table_t:s0
!  column  | t4.ctid     | unconfined_u:object_r:sepgsql_sysobj_t:s0
!  column  | t4.xmin     | unconfined_u:object_r:sepgsql_sysobj_t:s0
!  column  | t4.cmin     | unconfined_u:object_r:sepgsql_sysobj_t:s0
!  column  | t4.xmax     | unconfined_u:object_r:sepgsql_sysobj_t:s0
   column  | t4.cmax     | unconfined_u:object_r:sepgsql_sysobj_t:s0
   column  | t4.tableoid | unconfined_u:object_r:sepgsql_sysobj_t:s0
  (16 rows)
  
  --
--- 82,107 ----
  (3 rows)
  
  SELECT objtype, objname, label FROM pg_seclabels
!     WHERE provider = 'selinux' AND objtype = 'column' AND (objname like 't3.%' OR objname like 't4.%')
!     ORDER BY objname ASC;
   objtype |   objname   |                     label                     
  ---------+-------------+-----------------------------------------------
   column  | t3.cmax     | unconfined_u:object_r:user_sepgsql_table_t:s0
+  column  | t3.cmin     | unconfined_u:object_r:user_sepgsql_table_t:s0
+  column  | t3.ctid     | unconfined_u:object_r:user_sepgsql_table_t:s0
+  column  | t3.s        | unconfined_u:object_r:user_sepgsql_table_t:s0
+  column  | t3.t        | unconfined_u:object_r:user_sepgsql_table_t:s0
   column  | t3.tableoid | unconfined_u:object_r:user_sepgsql_table_t:s0
!  column  | t3.xmax     | unconfined_u:object_r:user_sepgsql_table_t:s0
!  column  | t3.xmin     | unconfined_u:object_r:user_sepgsql_table_t:s0
   column  | t4.cmax     | unconfined_u:object_r:sepgsql_sysobj_t:s0
+  column  | t4.cmin     | unconfined_u:object_r:sepgsql_sysobj_t:s0
+  column  | t4.ctid     | unconfined_u:object_r:sepgsql_sysobj_t:s0
+  column  | t4.m        | unconfined_u:object_r:sepgsql_table_t:s0
+  column  | t4.n        | unconfined_u:object_r:sepgsql_table_t:s0
   column  | t4.tableoid | unconfined_u:object_r:sepgsql_sysobj_t:s0
+  column  | t4.xmax     | unconfined_u:object_r:sepgsql_sysobj_t:s0
+  column  | t4.xmin     | unconfined_u:object_r:sepgsql_sysobj_t:s0
  (16 rows)
  
  --
diff --git a/contrib/sepgsql/sql/label.sql b/contrib/sepgsql/sql/label.sql
new file mode 100644
index 7a05c24..f4d50c3
*** a/contrib/sepgsql/sql/label.sql
--- b/contrib/sepgsql/sql/label.sql
*************** INSERT INTO t4 VALUES (1,'mmm'), (2,'nnn
*** 78,84 ****
  SELECT objtype, objname, label FROM pg_seclabels
      WHERE provider = 'selinux' AND objtype = 'table' AND objname in ('t1', 't2', 't3');
  SELECT objtype, objname, label FROM pg_seclabels
!     WHERE provider = 'selinux' AND objtype = 'column' AND (objname like 't3.%' OR objname like 't4.%');
  
  --
  -- Tests for SECURITY LABEL
--- 78,85 ----
  SELECT objtype, objname, label FROM pg_seclabels
      WHERE provider = 'selinux' AND objtype = 'table' AND objname in ('t1', 't2', 't3');
  SELECT objtype, objname, label FROM pg_seclabels
!     WHERE provider = 'selinux' AND objtype = 'column' AND (objname like 't3.%' OR objname like 't4.%')
!     ORDER BY objname ASC;
  
  --
  -- Tests for SECURITY LABEL

regression.diffs
Description: Binary data

-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] One question about security label command

Reply via email to