1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
|
#!/bin/sh
#
# SELinux environment checks to ensure configuration of the operating system
# satisfies prerequisites to run regression test.
# If incorrect settings are found, this script suggest user a hint.
#
PG_BINDIR="$1"
PG_DATADIR="$2"
echo
echo "============== checking selinux environment =============="
# matchpathcon must be present to assess whether the installation environment
# is OK.
echo -n "checking for matchpathcon ... "
if ! matchpathcon -n . >/dev/null 2>&1; then
echo "not found"
echo ""
echo "matchpathcon not found; please install it or update your PATH."
exit 1
fi
echo "ok"
# runcon must be present to launch psql using the correct environment
echo -n "checking for runcon ... "
if ! runcon --help >/dev/null 2>&1; then
echo "failed"
echo ""
echo "The runcon command must exist and be executable; it is used to"
echo "launch psql command with a particular domain. It is typically"
echo "included within the coreutils package."
echo ""
exit 1
fi
echo "ok"
# check that the user is running in the unconfined_t domain
echo -n "checking current user domain ... "
DOMAIN=`id -Z 2>/dev/null | sed 's/:/ /g' | awk '{print $3}'`
echo ${DOMAIN:-failed}
if [ "${DOMAIN}" != "unconfined_t" ]; then
echo ""
echo "This regression test must be launched from the unconfined_t domain."
echo ""
echo "The unconfined_t domain is typically the default domain for user"
echo "shell processes. If the default has been changed on your system,"
echo "you can revert the changes like this:"
echo ""
echo " \$ su -"
echo " # semanage login -d `whoami`"
echo ""
echo "Or, you can add a setting to log in using the unconfined_t domain:"
echo ""
echo " \$ su -"
echo " # semanage login -a -s unconfined_u -r s0-s0:c0.c255 `whoami`"
echo ""
exit 1
fi
# SELinux must be configured to enforcing mode
echo -n "checking selinux operating mode ... "
CURRENT_MODE=`env LANG=C sestatus | grep 'Current mode:' | awk '{print $3}'`
echo ${CURRENT_MODE:-failed}
if [ "${CURRENT_MODE}" != enforcing ]; then
if [ "${CURRENT_MODE}" = permissive -o "${CURRENT_MODE}" = disabled ]; then
echo ""
echo "Before running the regression tests, SELinux must be enabled and"
echo "must be running in enforcing mode."
echo ""
echo "If SELinux is currently running in permissive mode, you can"
echo "switch to enforcing command using the 'setenforce' command."
echo
echo " \$ su -"
echo " # setenforce 1"
echo ""
echo "The system default setting is configured in /etc/selinux/config,"
echo "or using a kernel bool parameter."
echo ""
else
echo ""
echo "Unable to determine the current selinux operating mode. Please"
echo "verify that the sestatus command is installed and in your PATH."
echo ""
fi
exit 1
fi
# 'sepgsql-regtest' policy module must be loaded
echo -n "checking for sepgsql-regtest policy ... "
SELINUX_MNT=`env LANG=C sestatus 2>/dev/null | grep '^SELinuxfs mount:' | awk '{print $3}'`
if [ "$SELINUX_MNT" = "" ]; then
echo "failed"
echo ""
echo "Unable to find SELinuxfs mount point."
echo ""
echo "The sestatus command should report the location where SELinuxfs"
echo "is mounted, but did not do so."
echo ""
exit 1
fi
if [ ! -e ${SELINUX_MNT}/booleans/sepgsql_regression_test_mode ]; then
echo "failed"
echo ""
echo "The 'sepgsql-regtest' policy module appears not to be installed."
echo "Without this policy installed, the regression tests will fail."
echo "You can install this module using the following commands:"
echo ""
echo " \$ make -f /usr/share/selinux/devel/Makefile -C contrib/selinux"
echo " \$ su"
echo " # semodule -i contrib/sepgsql/sepgsql-regtest.pp"
echo ""
echo "To confirm that policy package is installed, use this command:"
echo ""
echo " # semodule -l | grep sepgsql"
echo ""
exit 1
fi
echo "ok"
# Verify that sepgsql_regression_test_mode is active.
echo -n "checking whether policy is enabled ... "
POLICY_STATUS=`getsebool sepgsql_regression_test_mode | awk '{print $3}'`
echo ${POLICY_STATUS:-failed}
if [ "${POLICY_STATUS}" != "on" ]; then
echo ""
echo "The SELinux boolean 'sepgsql_regression_test_mode' must be"
echo "turned on in order to enable the rules necessary to run the"
echo "regression tests."
echo ""
if "${POLICY_STATUS}" = ""; then
echo "We attempted to determine the state of this Boolean using"
echo "'getsebool', but that command did not produce the expected"
echo "output. Please verify that getsebool is available and in"
echo "your PATH."
else
echo "You can turn on this variable using the following commands:"
echo ""
echo " \$ su -"
echo " # setsebool sepgsql_regression_test_mode 1"
echo ""
echo "For security reasons, it is suggested that you turn off this"
echo "variable when regression testing is complete and the associated"
echo "rules are no longer needed."
fi
echo ""
exit 1
fi
# 'psql' command must be executable by test domain
echo -n "checking whether we can run psql ... "
CMD_PSQL="${PG_BINDIR}/psql"
runcon -t sepgsql_regtest_user_t ${CMD_PSQL} --help >& /dev/null
if [ $? -ne 0 ]; then
echo "failed"
echo
echo "${CMD_PSQL} must be executable from the sepgsql_regtest_user_t"
echo "domain. The domain has restricted privileges compared to"
echo "unconfined_t, so you should ensure that it is labeled correctly."
echo
echo " \$ su - (not needed, if you owns installation directory)"
EXPECT_PSQL=`matchpathcon -n ${CMD_PSQL} | sed 's/:/ /g' | awk '{print $3}'`
if [ "${EXPECT_PSQL}" = "user_home_t" ]; then
## Case of installation on /home directory
echo " # restorecon -R ${PG_BINDIR}"
echo
echo "Or, using chcon"
echo
echo " # chcon -t user_home_t ${CMD_PSQL}"
else
echo " \$ su - (not needed, if you own the installation directory)"
echo " # restorecon -R ${PG_BINDIR}"
echo
echo "Or, using chcon"
echo
echo " # chcon -t bin_t ${CMD_PSQL}"
fi
echo
exit 1
fi
echo "ok"
# loadable module must be installed and not configured to permissive mode
echo -n "checking sepgsql installation ... "
VAL="`${CMD_PSQL} template1 -tc 'SHOW sepgsql.permissive' 2>/dev/null`"
RETVAL="$?"
if [ $RETVAL -eq 2 ]; then
echo "failed"
echo ""
echo "Unable to connect to the server. Please check your installation."
echo ""
exit 1
elif [ $RETVAL -ne 0 ]; then
echo "failed"
echo ""
echo "The 'sepgsql' module does not appear to be loaded. Please verify"
echo "that the 'shared_preload_libraries' setting in postgresql.conf"
echo "includes sepgsql, and then stop and restart the server."
echo ""
exit 1
elif ! echo "$VAL" | grep -q 'off$'; then
echo "failed"
echo ""
echo "The GUC variable 'sepgsql.permissive' is set to 'on'. It must be"
echo "turned off before running the regression tests."
echo ""
exit 1
fi
echo "ok"
# template1 database must be labeled
echo -n "checking for labels in template1 ... "
NUM=`${CMD_PSQL} template1 -Atc 'SELECT count(*) FROM pg_catalog.pg_seclabel' 2>/dev/null`
if [ -z "${NUM}" ]; then
echo "failed"
echo ""
echo "In order to regression test sepgsql, initial labels must be assigned"
echo "on the 'template1' database. These labels will be copied into the"
echo "regression test database."
echo ""
echo "See Installation section of the PostgreSQL documentation."
echo ""
exit 1
fi
echo "found ${NUM}"
#
# check complete -
#
echo ""
exit 0
|
