pgsql-fix-sepgsql-regtest.patch

text/x-patch

Filename: pgsql-fix-sepgsql-regtest.patch
Type: text/x-patch
Part: 0
Message: Re: [v9.1] sepgsql - userspace access vector cache
 contrib/sepgsql/chkselinuxenv      |   68 ++++++++++++++++++++++++++++++------
 contrib/sepgsql/sepgsql-regtest.te |    4 ++-
 2 files changed, 60 insertions(+), 12 deletions(-)

diff --git a/contrib/sepgsql/chkselinuxenv b/contrib/sepgsql/chkselinuxenv
index 0be17ab..76e41d1 100755
--- a/contrib/sepgsql/chkselinuxenv
+++ b/contrib/sepgsql/chkselinuxenv
@@ -4,11 +4,43 @@
 # satisfies prerequisites to run regression test.
 # If incorrect settings are found, this script suggest user a hint.
 #
+# NOTE:
+#   This script assumes the following commands are already installed:
+#     /bin/sh, sed, awk, coreutils (id, test, echo, ...)
+#   If not installed, please set up them first.
+#
 PG_BINDIR="$1"
 PG_DATADIR="$2"
 
 echo
 echo "============== checking selinux environment           =============="
+#
+# Test.0 - necessary commands for environment checks
+#
+echo -n "test installed commans        ... "
+if ! which --help >&/dev/null; then
+    echo "failed"
+    echo
+    echo "'which' command was not found, executable or installed."
+    echo "Please make sure your PATH, or install this command at first."
+    echo
+    echo "If yum is available on your system, it will suggest packages"
+    echo "to be installed:"
+    echo "  # yum provides which"
+    exit 1
+fi
+if ! matchpathcon -n / >&/dev/null; then
+    echo "failed"
+    echo
+    echo "'matchpathcon' command was not found, executable or installed."
+    echo "Please make sure your PATH, or install this command at first."
+    echo
+    echo "If yum is available on your system, it will suggest packages"
+    echo "to be installed:"
+    echo "  # yum provides which"
+    exit 1
+fi
+echo "ok"
 
 #
 # Test.1 - must be launched at unconfined_t domain
@@ -164,24 +196,38 @@ fi
 echo "ok"
 
 #
-# Test.8 - 'psql' command must be labeled as 'bin_t' type
+# Test.8 - 'psql' command must be executable by test domain
 #
-echo -n "test label of psql            ... "
+echo -n "test execution of psql        ... "
 
 CMD_PSQL="${PG_BINDIR}/psql"
-LABEL_PSQL=`stat -c '%C' ${CMD_PSQL} | sed 's/:/ /g' | awk '{print $3}'`
-if [ "${LABEL_PSQL}" != "bin_t" ]; then
+${CMD_RUNCON} -t sepgsql_regtest_user_t ${CMD_PSQL} --help >& /dev/null
+if [ $? -ne 0 ]; then
     echo "failed"
     echo
-    echo "The ${CMD_PSQL} must be labeled as bin_t type."
-    echo "You can assign right label using restorecon, as follows:"
+    echo "The ${CMD_PSQL} must be executable by sepgsql_regtest_user_t"
+    echo "domain. It has restricted privileges compared to unconfined_t,"
+    echo "so you should ensure whether this command is labeled correctly."
     echo
     echo "  \$ su - (not needed, if you owns installation directory)"
-    echo "  # restorecon -R ${PG_BINDIR}"
-    echo
-    echo "Or, using chcon"
-    echo
-    echo "  # chcon -t bin_t ${CMD_PSQL}"
+    EXPECT_PSQL=`matchpathcon -n ${CMD_PSQL} | sed 's/:/ /g' | awk '{print $3}'`
+    if [ "${EXPECT_PSQL}" = "user_home_t" ]; then
+	## Case of installation on /home directory
+	echo "  # restorecon -R ${PG_BINDIR}"
+	echo
+	echo "Or, using chcon"
+	echo
+	echo "  # chcon -t user_home_t ${CMD_PSQL}"
+    else
+	echo "  \$ su - (not needed, if you owns installation directory)"
+	if [ "${EXPECT_PSQL}" = "bin_t" ]; then
+	    echo "  # restorecon -R ${PG_BINDIR}"
+	    echo
+	    echo "Or, using chcon"
+	    echo
+	fi
+	echo "  # chcon -t user_home_t ${CMD_PSQL}"
+    fi
     echo
     exit 1
 fi
diff --git a/contrib/sepgsql/sepgsql-regtest.te b/contrib/sepgsql/sepgsql-regtest.te
index 3b1def7..a8fe247 100644
--- a/contrib/sepgsql/sepgsql-regtest.te
+++ b/contrib/sepgsql/sepgsql-regtest.te
@@ -1,4 +1,4 @@
-policy_module(sepgsql-regtest, 1.02)
+policy_module(sepgsql-regtest, 1.03)
 
 gen_require(`
 	all_userspace_class_perms
@@ -24,6 +24,7 @@ postgresql_procedure_object(sepgsql_regtest_trusted_proc_exec_t)
 role sepgsql_regtest_dba_r;
 userdom_base_user_template(sepgsql_regtest_dba)
 userdom_manage_home_role(sepgsql_regtest_dba_r, sepgsql_regtest_dba_t)
+userdom_exec_user_home_content_files(sepgsql_regtest_dba_t)
 userdom_write_user_tmp_sockets(sepgsql_regtest_user_t)
 optional_policy(`
 	postgresql_admin(sepgsql_regtest_dba_t, sepgsql_regtest_dba_r)
@@ -40,6 +41,7 @@ optional_policy(`
 role sepgsql_regtest_user_r;
 userdom_base_user_template(sepgsql_regtest_user)
 userdom_manage_home_role(sepgsql_regtest_user_r, sepgsql_regtest_user_t)
+userdom_exec_user_home_content_files(sepgsql_regtest_user_t)
 userdom_write_user_tmp_sockets(sepgsql_regtest_user_t)
 optional_policy(`
 	postgresql_role(sepgsql_regtest_user_r, sepgsql_regtest_user_t)