he3pg/contrib/sepgsql/test_sepgsql

307 lines
10 KiB
Plaintext
Raw Normal View History

2022-08-31 15:03:14 +08:00
#!/bin/sh
#
# Run the sepgsql regression tests, after making a lot of environmental checks
# to try to ensure that the SELinux environment is set up appropriately and
# the database is configured correctly.
#
# Note that this must be run against an installed Postgres database.
# There's no equivalent of "make check", and that wouldn't be terribly useful
# since much of the value is in checking that you installed sepgsql into
# your database correctly.
#
# This must be run in the contrib/sepgsql directory of a Postgres build tree.
#
PG_BINDIR=`pg_config --bindir`
# we must move to contrib/sepgsql directory to run pg_regress correctly
cd `dirname $0`
echo
echo "============== checking selinux environment =============="
# matchpathcon must be present to assess whether the installation environment
# is OK.
echo -n "checking for matchpathcon ... "
if ! matchpathcon -n . >/dev/null 2>&1; then
echo "not found"
echo ""
echo "The matchpathcon command must be available."
echo "Please install it or update your PATH to include it"
echo "(it is typically in '/usr/sbin', which might not be in your PATH)."
echo "matchpathcon is typically included in the libselinux-utils package."
exit 1
fi
echo "ok"
# runcon must be present to launch psql using the correct environment
echo -n "checking for runcon ... "
if ! runcon --help >/dev/null 2>&1; then
echo "not found"
echo ""
echo "The runcon command must be available."
echo "runcon is typically included in the coreutils package."
echo ""
exit 1
fi
echo "ok"
# check sestatus too, since that lives in yet another package
echo -n "checking for sestatus ... "
if ! sestatus >/dev/null 2>&1; then
echo "not found"
echo ""
echo "The sestatus command must be available."
echo "sestatus is typically included in the policycoreutils package."
echo ""
exit 1
fi
echo "ok"
# check that the user is running in the unconfined_t domain
echo -n "checking current user domain ... "
DOMAIN=`id -Z 2>/dev/null | sed 's/:/ /g' | awk '{print $3}'`
echo ${DOMAIN:-failed}
if [ "${DOMAIN}" != unconfined_t ]; then
echo ""
echo "The regression tests must be launched from the unconfined_t domain."
echo ""
echo "The unconfined_t domain is typically the default domain for user"
echo "shell processes. If the default has been changed on your system,"
echo "you can revert the changes like this:"
echo ""
echo " \$ sudo semanage login -d `whoami`"
echo ""
echo "Or, you can add a setting to log in using the unconfined_t domain:"
echo ""
echo " \$ sudo semanage login -a -s unconfined_u -r s0-s0:c0.c255 `whoami`"
echo ""
exit 1
fi
# SELinux must be configured in enforcing mode
echo -n "checking selinux operating mode ... "
CURRENT_MODE=`LANG=C sestatus | grep '^Current mode:' | awk '{print $3}'`
echo ${CURRENT_MODE:-failed}
if [ "${CURRENT_MODE}" = enforcing ]; then
: OK
elif [ "${CURRENT_MODE}" = permissive -o "${CURRENT_MODE}" = disabled ]; then
echo ""
echo "Before running the regression tests, SELinux must be enabled and"
echo "must be running in enforcing mode."
echo ""
echo "If SELinux is currently running in permissive mode, you can"
echo "switch to enforcing mode using the 'setenforce' command."
echo
echo " \$ sudo setenforce 1"
echo ""
echo "The system default setting is configured in /etc/selinux/config,"
echo "or using a kernel boot parameter."
echo ""
exit 1
else
echo ""
echo "Unable to determine the current selinux operating mode. Please"
echo "verify that the sestatus command is installed and in your PATH."
echo ""
exit 1
fi
# 'sepgsql-regtest' policy module must be loaded
echo -n "checking for sepgsql-regtest policy ... "
SELINUX_MNT=`LANG=C sestatus | grep '^SELinuxfs mount:' | awk '{print $3}'`
if [ "$SELINUX_MNT" = "" ]; then
echo "failed"
echo ""
echo "Unable to find SELinuxfs mount point."
echo ""
echo "The sestatus command should report the location where SELinuxfs"
echo "is mounted, but did not do so."
echo ""
exit 1
fi
if [ ! -e "${SELINUX_MNT}/booleans/sepgsql_regression_test_mode" ]; then
echo "failed"
echo ""
echo "The 'sepgsql-regtest' policy module appears not to be installed."
echo "Without this policy installed, the regression tests will fail."
echo "You can install this module using the following commands:"
echo ""
echo " \$ make -f /usr/share/selinux/devel/Makefile"
echo " \$ sudo semodule -u sepgsql-regtest.pp"
echo ""
echo "To confirm that the policy package is installed, use this command:"
echo ""
echo " \$ sudo semodule -l | grep sepgsql"
echo ""
exit 1
fi
echo "ok"
# Verify that sepgsql_regression_test_mode is active.
echo -n "checking whether policy is enabled ... "
POLICY_STATUS=`getsebool sepgsql_regression_test_mode | awk '{print $3}'`
echo ${POLICY_STATUS:-failed}
if [ "${POLICY_STATUS}" != on ]; then
echo ""
echo "The SELinux boolean 'sepgsql_regression_test_mode' must be"
echo "turned on in order to enable the rules necessary to run the"
echo "regression tests."
echo ""
if [ "${POLICY_STATUS}" = "" ]; then
echo "We attempted to determine the state of this Boolean using"
echo "'getsebool', but that command did not produce the expected"
echo "output. Please verify that getsebool is available and in"
echo "your PATH."
else
echo "You can turn on this variable using the following commands:"
echo ""
echo " \$ sudo setsebool sepgsql_regression_test_mode on"
echo ""
echo "For security reasons, it is suggested that you turn off this"
echo "variable when regression testing is complete and the associated"
echo "rules are no longer needed."
fi
echo ""
exit 1
fi
POLICY_STATUS=`getsebool sepgsql_enable_users_ddl | awk '{print $3}'`
echo ${POLICY_STATUS:-failed}
if [ "${POLICY_STATUS}" != on ]; then
echo ""
echo "The SELinux boolean 'sepgsql_enable_users_ddl' must be"
echo "turned on in order to enable the rules necessary to run"
echo "the regression tests."
echo ""
if [ "${POLICY_STATUS}" = "" ]; then
echo "We attempted to determine the state of this Boolean using"
echo "'getsebool', but that command did not produce the expected"
echo "output. Please verify that getsebool is available and in"
echo "your PATH."
else
echo "You can turn on this variable using the following commands:"
echo ""
echo " \$ sudo setsebool sepgsql_enable_users_ddl on"
echo ""
echo "For security reasons, it is suggested that you turn off this"
echo "variable when regression testing is complete, unless you"
echo "don't want to allow unprivileged users DDL commands."
fi
echo ""
exit 1
fi
# 'psql' command must be executable from test domain
echo -n "checking whether we can run psql ... "
CMD_PSQL="${PG_BINDIR}/psql"
if [ ! -e "${CMD_PSQL}" ]; then
echo "not found"
echo
echo "${CMD_PSQL} was not found."
echo "Check your PostgreSQL installation."
echo
exit 1
fi
runcon -t sepgsql_regtest_user_t "${CMD_PSQL}" --help >& /dev/null
if [ $? -ne 0 ]; then
echo "failed"
echo
echo "${CMD_PSQL} must be executable from the"
echo "sepgsql_regtest_user_t domain. That domain has restricted privileges"
echo "compared to unconfined_t, so the problem may be the psql file's"
echo "SELinux label. Try"
echo
PSQL_T=`matchpathcon -n "${CMD_PSQL}" | sed 's/:/ /g' | awk '{print $3}'`
if [ "${PSQL_T}" = "user_home_t" ]; then
# Installation appears to be in /home directory
echo " \$ sudo restorecon -R ${PG_BINDIR}"
echo
echo "Or, using chcon"
echo
echo " \$ sudo chcon -t user_home_t ${CMD_PSQL}"
else
echo " \$ sudo restorecon -R ${PG_BINDIR}"
echo
echo "Or, using chcon"
echo
echo " \$ sudo chcon -t bin_t ${CMD_PSQL}"
fi
echo
exit 1
fi
echo "ok"
# loadable module must be installed and not configured to permissive mode
echo -n "checking sepgsql installation ... "
VAL="`${CMD_PSQL} -X -t -c 'SHOW sepgsql.permissive' template1 2>/dev/null`"
RETVAL="$?"
if [ $RETVAL -eq 2 ]; then
echo "failed"
echo ""
echo "Could not connect to the database server."
echo "Please check your PostgreSQL installation."
echo ""
exit 1
elif [ $RETVAL -ne 0 ]; then
echo "failed"
echo ""
echo "The sepgsql module does not appear to be loaded. Please verify"
echo "that the 'shared_preload_libraries' setting in postgresql.conf"
echo "includes 'sepgsql', and then restart the server."
echo ""
echo "See Installation section of the contrib/sepgsql documentation."
echo ""
exit 1
elif ! echo "$VAL" | grep -q 'off$'; then
echo "failed"
echo ""
echo "The parameter 'sepgsql.permissive' is set to 'on'. It must be"
echo "turned off before running the regression tests."
echo ""
exit 1
fi
echo "ok"
# template1 database must be labeled
# NOTE: this test is wrong; we really ought to be checking template0.
# But we can't connect to that without extra pushups, and it's not worth it.
echo -n "checking for labels in template1 ... "
NUM=`${CMD_PSQL} -XAt -c 'SELECT count(*) FROM pg_catalog.pg_seclabel' template1 2>/dev/null`
if [ -z "${NUM}" ]; then
echo "failed"
echo ""
echo "In order to test sepgsql, initial labels must be assigned within"
echo "the 'template1' database. These labels will be copied into the"
echo "regression test database."
echo ""
echo "See Installation section of the contrib/sepgsql documentation."
echo ""
exit 1
fi
echo "found ${NUM}"
#
# checking complete - let's run the tests
#
echo
echo "============== running sepgsql regression tests =============="
tests="label dml ddl alter misc"
# Check if the truncate permission exists in the loaded policy, and if so,
# run the truncate test
#
# Testing the TRUNCATE regression test can be done by manually adding
# the permission with CIL if necessary:
# sudo semodule -cE base
# sudo sed -i -E 's/(class db_table.*?) \)/\1 truncate\)/' base.cil
# sudo semodule -i base.cil
if [ -f /sys/fs/selinux/class/db_table/perms/truncate ]; then
tests+=" truncate"
fi
make REGRESS="$tests" REGRESS_OPTS="--launcher ./launcher" installcheck
# exit with the exit code provided by "make"