Thread

Commits

  1. Fix contrib/sepgsql test policy to work with latest SELinux releases.

  1. sepgsql seems rather thoroughly broken on Fedora 30

    Tom Lane <tgl@sss.pgh.pa.us> — 2019-07-17T16:32:39Z

    I tried to run the contrib/sepgsql tests, following the instructions,
    on a recently-set-up Fedora 30 machine.  I've done that successfully
    on previous Fedora releases, but it's no go with F30.
    
    First off, building the sepgsql-regtest.pp policy file spews
    a bunch of complaints that I don't recall having seen before:
    
    $ make -f /usr/share/selinux/devel/Makefile 
    /usr/share/selinux/devel/include/services/container.if:14: Error: duplicate definition of container_runtime_domtrans(). Original definition on 14.
    /usr/share/selinux/devel/include/services/container.if:41: Error: duplicate definition of container_runtime_run(). Original definition on 41.
    /usr/share/selinux/devel/include/services/container.if:61: Error: duplicate definition of container_runtime_exec(). Original definition on 61.
    /usr/share/selinux/devel/include/services/container.if:80: Error: duplicate definition of container_read_state(). Original definition on 80.
    ... more of the same ...
    /usr/share/selinux/devel/include/services/container.if:726: Error: duplicate definition of docker_stream_connect(). Original definition on 726.
    /usr/share/selinux/devel/include/services/container.if:730: Error: duplicate definition of docker_spc_stream_connect(). Original definition on 730.
    /usr/share/selinux/devel/include/services/container.if:744: Error: duplicate definition of container_spc_read_state(). Original definition on 744.
    /usr/share/selinux/devel/include/services/container.if:763: Error: duplicate definition of container_domain_template(). Original definition on 763.
    /usr/share/selinux/devel/include/services/container.if:791: Error: duplicate definition of container_spc_rw_pipes(). Original definition on 791.
    Compiling targeted sepgsql-regtest module
    Creating targeted sepgsql-regtest.pp policy package
    rm tmp/sepgsql-regtest.mod tmp/sepgsql-regtest.mod.fc
    $
    
    The sepgsql-regtest.pp file is created anyway, and it seems to
    load into the kernel OK, so maybe these are harmless?  Or not.
    
    I got through the remaining steps OK, until getting to actually
    running the test script:
    
    $ ./test_sepgsql 
    
    ============== checking selinux environment           ==============
    checking for matchpathcon           ... ok
    checking for runcon                 ... ok
    checking for sestatus               ... ok
    checking current user domain        ... unconfined_t
    checking selinux operating mode     ... enforcing
    checking for sepgsql-regtest policy ... ok
    checking whether policy is enabled  ... on
    on
    checking whether we can run psql    ... failed
    
    /home/tgl/testversion/bin/psql must be executable from the
    sepgsql_regtest_user_t domain. That domain has restricted privileges
    compared to unconfined_t, so the problem may be the psql file's
    SELinux label. Try
    
      $ sudo restorecon -R /home/tgl/testversion/bin
    
    Or, using chcon
    
      $ sudo chcon -t user_home_t /home/tgl/testversion/bin/psql
    
    
    (BTW, what's that extra "on" after "checking whether policy is enabled"?)
    
    psql does already have that labeling according to "ls -Z",
    so unsurprisingly, the recommended remediation doesn't help.
    
    Trying to drill down a bit, I did what the script is doing:
    
    $ runcon -t sepgsql_regtest_user_t psql --help
    psql: fatal: could not look up effective user ID 1000: user does not exist
    
    But uid 1000 is me according to /etc/passwd and according to "id":
    
    $ id
    uid=1000(tgl) gid=1000(tgl) groups=1000(tgl),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
    
    so there's nothing much wrong with having that as euid.
    
    I speculate that the policy is forbidding sepgsql_regtest_user_t
    from reading /etc/passwd.  Perhaps this is fallout from the
    compile problems reported for the policy module?  But I'm way
    out of my depth here.
    
    I'm pretty sure the test recipe last worked for me on F28.
    Off to try F29.
    
    			regards, tom lane
    
    
    
    
  2. Re: sepgsql seems rather thoroughly broken on Fedora 30

    Tom Lane <tgl@sss.pgh.pa.us> — 2019-07-17T16:54:14Z

    I wrote:
    > I tried to run the contrib/sepgsql tests, following the instructions,
    > on a recently-set-up Fedora 30 machine.  I've done that successfully
    > on previous Fedora releases, but it's no go with F30.
    > ...
    > I'm pretty sure the test recipe last worked for me on F28.
    > Off to try F29.
    
    On Fedora 29, compiling the policy file spews what look like exactly
    the same "errors".  Everything after that works.
    
    I don't have a functioning F28 installation right now, so I can't
    double-check whether the errors appear on that.
    
    			regards, tom lane
    
    
    
    
  3. Re: sepgsql seems rather thoroughly broken on Fedora 30

    Joe Conway <mail@joeconway.com> — 2019-07-17T20:57:21Z

    On 7/17/19 12:54 PM, Tom Lane wrote:
    > I wrote:
    >> I tried to run the contrib/sepgsql tests, following the instructions,
    >> on a recently-set-up Fedora 30 machine.  I've done that successfully
    >> on previous Fedora releases, but it's no go with F30.
    >> ...
    >> I'm pretty sure the test recipe last worked for me on F28.
    >> Off to try F29.
    > 
    > On Fedora 29, compiling the policy file spews what look like exactly
    > the same "errors".  Everything after that works.
    > 
    > I don't have a functioning F28 installation right now, so I can't
    > double-check whether the errors appear on that.
    
    
    Thanks for the report -- Mike Palmiotto said he would take a look as
    soon as he can.
    
    Joe
    
    -- 
    Crunchy Data - http://crunchydata.com
    PostgreSQL Support for Secure Enterprises
    Consulting, Training, & Open Source Development
    
    
    
    
  4. Re: sepgsql seems rather thoroughly broken on Fedora 30

    Mike Palmiotto <mike.palmiotto@crunchydata.com> — 2019-07-18T23:23:08Z

    On Wed, Jul 17, 2019 at 12:32 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:
    >
    > I tried to run the contrib/sepgsql tests, following the instructions,
    > on a recently-set-up Fedora 30 machine.  I've done that successfully
    > on previous Fedora releases, but it's no go with F30.
    >
    > First off, building the sepgsql-regtest.pp policy file spews
    > a bunch of complaints that I don't recall having seen before:
    >
    > $ make -f /usr/share/selinux/devel/Makefile
    > /usr/share/selinux/devel/include/services/container.if:14: Error: duplicate definition of container_runtime_domtrans(). Original definition on 14.
    > /usr/share/selinux/devel/include/services/container.if:41: Error: duplicate definition of container_runtime_run(). Original definition on 41.
    > /usr/share/selinux/devel/include/services/container.if:61: Error: duplicate definition of container_runtime_exec(). Original definition on 61.
    > /usr/share/selinux/devel/include/services/container.if:80: Error: duplicate definition of container_read_state(). Original definition on 80.
    > ... more of the same ...
    > /usr/share/selinux/devel/include/services/container.if:726: Error: duplicate definition of docker_stream_connect(). Original definition on 726.
    > /usr/share/selinux/devel/include/services/container.if:730: Error: duplicate definition of docker_spc_stream_connect(). Original definition on 730.
    > /usr/share/selinux/devel/include/services/container.if:744: Error: duplicate definition of container_spc_read_state(). Original definition on 744.
    > /usr/share/selinux/devel/include/services/container.if:763: Error: duplicate definition of container_domain_template(). Original definition on 763.
    > /usr/share/selinux/devel/include/services/container.if:791: Error: duplicate definition of container_spc_rw_pipes(). Original definition on 791.
    
    These errors are due to a conflict between "container-selinux" and
    "selinux-policy-devel." With both packages installed, you will see the
    container interface file in both
    /usr/share/selinux/devel/include/contrib and
    /usr/share/selinux/devel/include/services:
    
    % sudo find /usr/share/selinux/devel -type f -name "container.if"
    /usr/share/selinux/devel/include/contrib/container.if
    /usr/share/selinux/devel/include/services/container.if
    
    This is likely a bug that should be fixed by "container-selinux." I'll
    see what I can do about getting that fixed upstream.
    As you noted, the build errors are likely a red herring, since the .pp
    still installs and the test script recognizes the module as loaded. If
    you want to get rid of these for now and you aren't particularly
    concerned about your container policy module, you can just uninstall
    the "container-selinux" package.
    
    >
    > ============== checking selinux environment           ==============
    > checking for matchpathcon           ... ok
    > checking for runcon                 ... ok
    > checking for sestatus               ... ok
    > checking current user domain        ... unconfined_t
    > checking selinux operating mode     ... enforcing
    > checking for sepgsql-regtest policy ... ok
    > checking whether policy is enabled  ... on
    > on
    > checking whether we can run psql    ... failed
    >
    > <snip>
    > (BTW, what's that extra "on" after "checking whether policy is enabled"?)
    
    The second "on" is from the `getsebool sepgsql_enable_users_ddl`
    check, which has no associated "checking policy boolean" message.
    We'll minimally want to add more specific messages for the two
    `getsebool` checks.
    
    > $ runcon -t sepgsql_regtest_user_t psql --help
    > psql: fatal: could not look up effective user ID 1000: user does not exist
    >
    > But uid 1000 is me according to /etc/passwd and according to "id":
    >
    > $ id
    > uid=1000(tgl) gid=1000(tgl) groups=1000(tgl),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
    >
    > so there's nothing much wrong with having that as euid.
    >
    > I speculate that the policy is forbidding sepgsql_regtest_user_t
    > from reading /etc/passwd.  Perhaps this is fallout from the
    > compile problems reported for the policy module?  But I'm way
    > out of my depth here.
    
    I wonder what your password file is labeled. It ought to be:
    % ls -Z /etc/passwd
    system_u:object_r:passwd_file_t:s0 /etc/passwd
    
    The sepgsql_regtest_user_t domain should be allowed to read any file
    labeled "passwd_file_t". We can check that with the `sesearch` tool,
    provided by the "setools-console" package on F30:
    
    % sudo sesearch -A -s sepgsql_regtest_user_t -t passwd_file_t
    allow domain file_type:blk_file map; [ domain_can_mmap_files ]:True
    allow domain file_type:chr_file map; [ domain_can_mmap_files ]:True
    allow domain file_type:file map; [ domain_can_mmap_files ]:True
    allow nsswitch_domain passwd_file_t:file { getattr ioctl lock map open read };
    
    If your /etc/passwd label is not correct, you can try just running
    `restorecon -RF /` to fix it.
    
    In any case, it looks like this entire test script and policy could
    use another layer of varnish, so I'll work on fixing up the
    messages/functionality and post a patch which makes this a bit more
    robust (hopefully a bit later tonight).
    Sorry for the delayed response. Hopefully the band-aid fixes I
    provided get you going for now.
    
    -- 
    Mike Palmiotto
    Software Engineer
    Crunchy Data Solutions
    https://crunchydata.com
    
    
    
    
  5. Re: sepgsql seems rather thoroughly broken on Fedora 30

    Tom Lane <tgl@sss.pgh.pa.us> — 2019-07-19T03:06:31Z

    Mike Palmiotto <mike.palmiotto@crunchydata.com> writes:
    > On Wed, Jul 17, 2019 at 12:32 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:
    >> $ runcon -t sepgsql_regtest_user_t psql --help
    >> psql: fatal: could not look up effective user ID 1000: user does not exist
    
    > I wonder what your password file is labeled. It ought to be:
    > % ls -Z /etc/passwd
    > system_u:object_r:passwd_file_t:s0 /etc/passwd
    
    Good thought, but no cigar:
    
    $ ls -Z /etc/passwd
    system_u:object_r:passwd_file_t:s0 /etc/passwd
    
    Happy to poke at anything else you can suggest.
    
    			regards, tom lane
    
    
    
    
  6. Re: sepgsql seems rather thoroughly broken on Fedora 30

    Mike Palmiotto <mike.palmiotto@crunchydata.com> — 2019-07-19T13:37:45Z

    On Thu, Jul 18, 2019 at 11:06 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:
    >
    > Mike Palmiotto <mike.palmiotto@crunchydata.com> writes:
    > > On Wed, Jul 17, 2019 at 12:32 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:
    > >> $ runcon -t sepgsql_regtest_user_t psql --help
    > >> psql: fatal: could not look up effective user ID 1000: user does not exist
    
    You can rule out SELinux for this piece by running `sudo setenforce
    0`. If the `runcon ... psql` command works in Permissive we should
    look at your audit log to determine what is being denied. audit2allow
    will provide a summary of the SELinux denials and is generally a good
    starting point:
    
    # grep denied /var/log/audit/audit.log | audit2allow
    
    If SELinux is indeed the issue here and you want to avoid doing all of
    this detective work, it may be a good idea to just run a system-wide
    restorecon (assuming you didn't already do that before) to make sure
    your labels are in a decent state.
    
    FWIW, this appears to be working on my recently-installed F30 VM:
    
    % runcon -t sepgsql_regtest_user_t psql --help &> /dev/null
    % echo $?
    0
    
    Hopefully a system-wide `restorecon` just magically fixes this for
    you. Otherwise, we can start digging into denials.
    
    -- 
    Mike Palmiotto
    Software Engineer
    Crunchy Data Solutions
    https://crunchydata.com
    
    
    
    
  7. Re: sepgsql seems rather thoroughly broken on Fedora 30

    Tom Lane <tgl@sss.pgh.pa.us> — 2019-07-19T15:03:45Z

    Mike Palmiotto <mike.palmiotto@crunchydata.com> writes:
    > On Thu, Jul 18, 2019 at 11:06 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:
    >>> $ runcon -t sepgsql_regtest_user_t psql --help
    >>> psql: fatal: could not look up effective user ID 1000: user does not exist
    
    > You can rule out SELinux for this piece by running `sudo setenforce
    > 0`. If the `runcon ... psql` command works in Permissive we should
    > look at your audit log to determine what is being denied. audit2allow
    > will provide a summary of the SELinux denials and is generally a good
    > starting point:
    
    > # grep denied /var/log/audit/audit.log | audit2allow
    
    It's definitely SELinux.  The grep finds entries like
    
    type=AVC msg=audit(1563547268.044:465): avc:  denied  { read } for  pid=10940 comm="psql" name="passwd" dev="sda6" ino=4721184 scontext=unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0
    
    which audit2allow turns into
    
    #============= sepgsql_regtest_user_t ==============
    allow sepgsql_regtest_user_t passwd_file_t:file read;
    
    So somehow, my system's interpretation of the test policy file does
    not include that permission.
    
    I tried:
    
    * restorecon / ... no effect, which is unsurprising given that /etc/passwd
    was OK already.
    
    * removing container-selinux ... this made the compile warnings go away,
    as you predicted, but no change in the test results.
    
    > FWIW, this appears to be working on my recently-installed F30 VM:
    
    > % runcon -t sepgsql_regtest_user_t psql --help &> /dev/null
    > % echo $?
    > 0
    
    Well, that's just weird.  I've not done anything to the SELinux state
    on this installation either, so what's different?
    
    I am wondering whether maybe the different behavior is a result of some
    RPM that's present on my system but not yours, or vice versa.  As
    a first stab at that, I see:
    
    $ rpm -qa | grep selinux | sort
    cockpit-selinux-198-1.fc30.noarch
    container-selinux-2.107-1.git453b816.fc30.noarch
    flatpak-selinux-1.4.2-2.fc30.x86_64
    libselinux-2.9-1.fc30.x86_64
    libselinux-devel-2.9-1.fc30.x86_64
    libselinux-utils-2.9-1.fc30.x86_64
    python3-libselinux-2.9-1.fc30.x86_64
    rpm-plugin-selinux-4.14.2.1-4.fc30.1.x86_64
    selinux-policy-3.14.3-40.fc30.noarch
    selinux-policy-devel-3.14.3-40.fc30.noarch
    selinux-policy-targeted-3.14.3-40.fc30.noarch
    tpm2-abrmd-selinux-2.0.0-4.fc30.noarch
    
    			regards, tom lane
    
    
    
    
  8. Re: sepgsql seems rather thoroughly broken on Fedora 30

    Tom Lane <tgl@sss.pgh.pa.us> — 2019-07-19T15:19:35Z

    Mike Palmiotto <mike.palmiotto@crunchydata.com> writes:
    > The sepgsql_regtest_user_t domain should be allowed to read any file
    > labeled "passwd_file_t". We can check that with the `sesearch` tool,
    > provided by the "setools-console" package on F30:
    
    > % sudo sesearch -A -s sepgsql_regtest_user_t -t passwd_file_t
    > allow domain file_type:blk_file map; [ domain_can_mmap_files ]:True
    > allow domain file_type:chr_file map; [ domain_can_mmap_files ]:True
    > allow domain file_type:file map; [ domain_can_mmap_files ]:True
    > allow nsswitch_domain passwd_file_t:file { getattr ioctl lock map open read };
    
    I got around to trying this, and lookee here:
    
    $ sudo sesearch -A -s sepgsql_regtest_user_t -t passwd_file_t
    allow domain file_type:blk_file map; [ domain_can_mmap_files ]:True
    allow domain file_type:chr_file map; [ domain_can_mmap_files ]:True
    allow domain file_type:file map; [ domain_can_mmap_files ]:True
    allow domain file_type:lnk_file map; [ domain_can_mmap_files ]:True
    
    Nothing about passwd_file_t.  So *something* is different about the
    way the policy is being expanded.
    
    			regards, tom lane
    
    
    
    
  9. Re: sepgsql seems rather thoroughly broken on Fedora 30

    Mike Palmiotto <mike.palmiotto@crunchydata.com> — 2019-07-19T19:55:22Z

    On Fri, Jul 19, 2019 at 11:19 AM Tom Lane <tgl@sss.pgh.pa.us> wrote:
    >
    > I got around to trying this, and lookee here:
    >
    > $ sudo sesearch -A -s sepgsql_regtest_user_t -t passwd_file_t
    > allow domain file_type:blk_file map; [ domain_can_mmap_files ]:True
    > allow domain file_type:chr_file map; [ domain_can_mmap_files ]:True
    > allow domain file_type:file map; [ domain_can_mmap_files ]:True
    > allow domain file_type:lnk_file map; [ domain_can_mmap_files ]:True
    >
    > Nothing about passwd_file_t.  So *something* is different about the
    > way the policy is being expanded.
    
    Okay, I was finally able to replicate the issue (and fix it). It looks
    like perhaps the userdom_base_user_template changed and no longer
    allows reading of passwd_file_t? At any rate, I added some policy to
    ensure that we have the proper permissions.
    
    I also beefed up the test script a bit so it now:
    - installs the SELinux policy module
    - spins up a temporary cluster to muddy postgresql.conf and run the
    setup sql in an isolated environment
    
    We probably need to polish this a bit more, but what do you think
    about something similar to the attached patches? They should hopefully
    reduce some of the complexity of running these regression tests.
    
    
    
    
    
    
    
    --
    Mike Palmiotto
    Software Engineer
    Crunchy Data Solutions
    https://crunchydata.com
    
  10. Re: sepgsql seems rather thoroughly broken on Fedora 30

    Tom Lane <tgl@sss.pgh.pa.us> — 2019-07-19T20:29:25Z

    Mike Palmiotto <mike.palmiotto@crunchydata.com> writes:
    > We probably need to polish this a bit more, but what do you think
    > about something similar to the attached patches? They should hopefully
    > reduce some of the complexity of running these regression tests.
    
    I can confirm that the 0001 patch fixes things on my Fedora 30 box.
    So that's good, though I don't know enough to evaluate it for style
    or anything like that.
    
    I don't think I like the 0002 patch very much, because of its putting
    all the sudo actions into the script.  I'd rather not give a script
    root permissions, thanks.  Maybe I'm in the minority on that.
    Also, since the documentation explicitly says that the 
    /usr/share/selinux/devel/Makefile path is not to be relied on,
    why would we hard-wire it into the script?
    
    A bigger-picture issue is that right now, configuring a cluster for
    sepgsql is a very manual process (cf. section F.35.2).  I think there's
    some advantage in forcing the user to run through that before running
    the regression test, namely that they'll get the bugs out of any
    misunderstandings or needed local changes.  If we had that a bit more
    automated then maybe having the test script do-it-for-you would be
    sensible.  (IOW, the fact that the test process is more like "make
    installcheck" than "make check" seems like a feature not a bug.)
    
    			regards, tom lane
    
    
    
    
  11. Re: sepgsql seems rather thoroughly broken on Fedora 30

    Mike Palmiotto <mike.palmiotto@crunchydata.com> — 2019-07-19T20:49:44Z

    On Fri, Jul 19, 2019 at 4:29 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:
    >
    > Mike Palmiotto <mike.palmiotto@crunchydata.com> writes:
    > > We probably need to polish this a bit more, but what do you think
    > > about something similar to the attached patches? They should hopefully
    > > reduce some of the complexity of running these regression tests.
    >
    > I can confirm that the 0001 patch fixes things on my Fedora 30 box.
    > So that's good, though I don't know enough to evaluate it for style
    > or anything like that.
    
    I think the policy is in need of review/rewriting anyway. The proper
    thing to do would be to create a common template for all of the
    SELinux regtest user domains and create more of a hierarchical policy
    to reduce redundancy. If you want to wait for more formal policy
    updates, I can do that in my spare time. Otherwise, the patch I posted
    should work with the general style of this policy module.
    
    >
    > I don't think I like the 0002 patch very much, because of its putting
    > all the sudo actions into the script.  I'd rather not give a script
    > root permissions, thanks.  Maybe I'm in the minority on that.
    
    Definitely not. I cringed a little bit as I was making those
    additions, but figured it was fine since it's just a test script (and
    we have to run `sudo` for various other installation items as well).
    
    > Also, since the documentation explicitly says that the
    > /usr/share/selinux/devel/Makefile path is not to be relied on,
    > why would we hard-wire it into the script?
    >
    > A bigger-picture issue is that right now, configuring a cluster for
    > sepgsql is a very manual process (cf. section F.35.2).  I think there's
    > some advantage in forcing the user to run through that before running
    > the regression test, namely that they'll get the bugs out of any
    > misunderstandings or needed local changes.  If we had that a bit more
    > automated then maybe having the test script do-it-for-you would be
    > sensible.  (IOW, the fact that the test process is more like "make
    > installcheck" than "make check" seems like a feature not a bug.)
    
    Makes sense to me. Thanks for the feedback!
    
    -- 
    Mike Palmiotto
    Software Engineer
    Crunchy Data Solutions
    https://crunchydata.com
    
    
    
    
  12. Re: sepgsql seems rather thoroughly broken on Fedora 30

    Tom Lane <tgl@sss.pgh.pa.us> — 2019-07-25T15:09:04Z

    Mike Palmiotto <mike.palmiotto@crunchydata.com> writes:
    > On Fri, Jul 19, 2019 at 4:29 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:
    >> I can confirm that the 0001 patch fixes things on my Fedora 30 box.
    >> So that's good, though I don't know enough to evaluate it for style
    >> or anything like that.
    
    > I think the policy is in need of review/rewriting anyway. The proper
    > thing to do would be to create a common template for all of the
    > SELinux regtest user domains and create more of a hierarchical policy
    > to reduce redundancy. If you want to wait for more formal policy
    > updates, I can do that in my spare time. Otherwise, the patch I posted
    > should work with the general style of this policy module.
    
    Hearing no further comments, I went ahead and pushed 0001 (after
    checking that it works on F28, which is the oldest Fedora version
    I have at hand right now).  Stylistic improvements to the script
    are fine, but let's get the bug fixed for now.
    
    BTW, I noticed that the documentation about how to run the tests
    is a bit stale as well --- for instance, it says to use
    
    	$ sudo semodule -u sepgsql-regtest.pp
    
    but that slaps your wrist:
    
    	The --upgrade option is deprecated. Use --install instead.
    
    So if anyone does feel like polishing things in this area, some doc
    review seems indicated.
    
    			regards, tom lane