Environment checks prior to regression tests?
How about an idea that allows to launch environment checker (typically shell scripts) prior
to regression tests?
The following stuffs should be preconfigured to run sepgsql's regression test.
- SELinux must be run and configured to enforcing mode.
- The sepgsql-regtest policy module must be loaded.
- The boolean of sepgsql_regression_test_mode must be turned on.
- The psql command should be labeled as 'bin_t'
If checkinstall optionally allows to launch an environment checker on regression test,
we may be possible to suggest users to fix up their configuration. It seems to me quite
helpful.
For example, one idea is to inject a dummy variable (mostly, initialized to empty) as
dependency of installcheck, being available to overwrite in Makefile of contrib, as follows:
# against installed postmaster
installcheck: submake $(REGRESS_PRE)
$(pg_regress_installcheck) $(REGRESS_OPTS) $(REGRESS)
Thanks,
--
NEC Europe Ltd, SAP Global Competence Center
KaiGai Kohei <kohei.kaigai@emea.nec.com>
On Thu, Jul 21, 2011 at 6:16 AM, Kohei Kaigai <Kohei.Kaigai@emea.nec.com> wrote:
How about an idea that allows to launch environment checker (typically shell scripts) prior
to regression tests?The following stuffs should be preconfigured to run sepgsql's regression test.
- SELinux must be run and configured to enforcing mode.
- The sepgsql-regtest policy module must be loaded.
- The boolean of sepgsql_regression_test_mode must be turned on.
- The psql command should be labeled as 'bin_t'If checkinstall optionally allows to launch an environment checker on regression test,
we may be possible to suggest users to fix up their configuration. It seems to me quite
helpful.For example, one idea is to inject a dummy variable (mostly, initialized to empty) as
dependency of installcheck, being available to overwrite in Makefile of contrib, as follows:# against installed postmaster
installcheck: submake $(REGRESS_PRE)
$(pg_regress_installcheck) $(REGRESS_OPTS) $(REGRESS)
Seems reasonable.
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
On 07/21/2011 05:35 AM, Robert Haas wrote:
On Thu, Jul 21, 2011 at 6:16 AM, Kohei Kaigai <Kohei.Kaigai@emea.nec.com> wrote:
How about an idea that allows to launch environment checker (typically shell scripts) prior
to regression tests?The following stuffs should be preconfigured to run sepgsql's regression test.
- SELinux must be run and configured to enforcing mode.
- The sepgsql-regtest policy module must be loaded.
- The boolean of sepgsql_regression_test_mode must be turned on.
- The psql command should be labeled as 'bin_t'If checkinstall optionally allows to launch an environment checker on regression test,
we may be possible to suggest users to fix up their configuration. It seems to me quite
helpful.For example, one idea is to inject a dummy variable (mostly, initialized to empty) as
dependency of installcheck, being available to overwrite in Makefile of contrib, as follows:# against installed postmaster
installcheck: submake $(REGRESS_PRE)
$(pg_regress_installcheck) $(REGRESS_OPTS) $(REGRESS)Seems reasonable.
+1
it would have been helpful to me last month while looking at this.
Joe
--
Joe Conway
credativ LLC: http://www.credativ.us
Linux, PostgreSQL, and general Open Source
Training, Service, Consulting, & 24x7 Support
The attached patch enables to check prerequisites to run regression
test of sepgsql module.
It adds a dependency to installcheck that allows us to launch
a script to check environment of operating system.
I'd like to add this patch next commit-fest.
E.g, this example does not turn on sepgsql_regression_test_mode
boolean parameter of selinux.
[kaigai@iwashi sepgsql]$ make installcheck
:
============== checking selinux environment ==============
test unconfined_t domain ... ok
test runon command ... ok
test sestatus command ... ok
test getsebool command ... ok
test enforcing mode ... ok
test sepgsql-regtest policy ... ok
test selinux boolean ... failed
The boolean variable of 'sepgsql_regression_test_mode' must be
turned. It affects an internal state of SELinux policy, then
a set of rules to run regression test will be activated.
You can turn on this variable as follows:
$ su -
# setsebool sepgsql_regression_test_mode 1
Also note that we recommend to turn off this variable after the
regression test, because it activates unnecessary rules.
make: *** [check_selinux_environment] Error 1
[kaigai@iwashi sepgsql]$
Then, we can turn on it according to the suggestion.
[kaigai@iwashi sepgsql]$ su -
Password:
[root@iwashi ~]# setsebool sepgsql_regression_test_mode 1
[root@iwashi ~]# logout
[kaigai@iwashi sepgsql]$ make installcheck
:
============== checking selinux environment ==============
test unconfined_t domain ... ok
test runon command ... ok
test sestatus command ... ok
test getsebool command ... ok
test enforcing mode ... ok
test sepgsql-regtest policy ... ok
test selinux boolean ... ok
test label of psql ... ok
test sepgsql installation ... ok
test template1 database ... ok
../../src/test/regress/pg_regress --inputdir=.
--psqldir='/usr/local/pgsql/bin' --dbname=contrib_regression
--launcher ../../contrib/sepgsql/launcher label dml misc
(using postmaster on Unix socket, default port)
============== dropping database "contrib_regression" ==============
DROP DATABASE
============== creating database "contrib_regression" ==============
CREATE DATABASE
ALTER DATABASE
============== running regression test queries ==============
test label ... ok
test dml ... ok
test misc ... ok
=====================
All 3 tests passed.
=====================
Thanks,
2011/7/22 Joe Conway <mail@joeconway.com>:
On 07/21/2011 05:35 AM, Robert Haas wrote:
On Thu, Jul 21, 2011 at 6:16 AM, Kohei Kaigai <Kohei.Kaigai@emea.nec.com> wrote:
How about an idea that allows to launch environment checker (typically shell scripts) prior
to regression tests?The following stuffs should be preconfigured to run sepgsql's regression test.
- SELinux must be run and configured to enforcing mode.
- The sepgsql-regtest policy module must be loaded.
- The boolean of sepgsql_regression_test_mode must be turned on.
- The psql command should be labeled as 'bin_t'If checkinstall optionally allows to launch an environment checker on regression test,
we may be possible to suggest users to fix up their configuration. It seems to me quite
helpful.For example, one idea is to inject a dummy variable (mostly, initialized to empty) as
dependency of installcheck, being available to overwrite in Makefile of contrib, as follows:# against installed postmaster
installcheck: submake $(REGRESS_PRE)
$(pg_regress_installcheck) $(REGRESS_OPTS) $(REGRESS)Seems reasonable.
+1
it would have been helpful to me last month while looking at this.Joe
--
Joe Conway
credativ LLC: http://www.credativ.us
Linux, PostgreSQL, and general Open Source
Training, Service, Consulting, & 24x7 Support--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
--
KaiGai Kohei <kaigai@kaigai.gr.jp>
Attachments:
pgsql-v9.2-check-regtest-environment.patchapplication/octet-stream; name=pgsql-v9.2-check-regtest-environment.patchDownload
contrib/sepgsql/Makefile | 4 +
contrib/sepgsql/chkselinuxenv | 247 +++++++++++++++++++++++++++++++++++++++++
src/makefiles/pgxs.mk | 4 +-
3 files changed, 253 insertions(+), 2 deletions(-)
diff --git a/contrib/sepgsql/Makefile b/contrib/sepgsql/Makefile
index bc995dd..7f997ee 100644
--- a/contrib/sepgsql/Makefile
+++ b/contrib/sepgsql/Makefile
@@ -5,6 +5,7 @@ OBJS = hooks.o selinux.o label.o dml.o \
schema.o relation.o proc.o
DATA_built = sepgsql.sql
REGRESS = label dml misc
+REGRESS_PREP = check_selinux_environment
EXTRA_CLEAN = -r tmp *.pp sepgsql-regtest.if sepgsql-regtest.fc
ifdef USE_PGXS
@@ -20,3 +21,6 @@ endif
SHLIB_LINK += $(filter -lselinux, $(LIBS))
REGRESS_OPTS += --launcher $(top_builddir)/contrib/sepgsql/launcher
+
+check_selinux_environment:
+ @$(top_builddir)/contrib/sepgsql/chkselinuxenv "$(bindir)" "$(datadir)"
diff --git a/contrib/sepgsql/chkselinuxenv b/contrib/sepgsql/chkselinuxenv
new file mode 100755
index 0000000..0ecc93b
--- /dev/null
+++ b/contrib/sepgsql/chkselinuxenv
@@ -0,0 +1,247 @@
+#!/bin/sh
+#
+# SELinux environment checks to ensure configuration of the operating system
+# satisfies prerequisites to run regression test.
+# If incorrect settings are found, this script suggest user a hint.
+#
+PG_BINDIR="$1"
+PG_DATADIR="$2"
+
+echo
+echo "============== checking selinux environment =============="
+
+#
+# Test.1 - must be launched at unconfined_t domain
+#
+echo -n "test unconfined_t domain ... "
+
+DOMAIN=`id -Z | sed 's/:/ /g' | awk '{print $3}'`
+if [ "${DOMAIN}" != "unconfined_t" ]; then
+ echo "failed"
+ echo
+ echo "This regression test needs to be launched on unconfined_t domain."
+ echo
+ echo "The unconfined_t domain is mostly default domain of users' shell"
+ echo "process. So, we suggest you to revert your special configuration"
+ echo "on your system, as follows:"
+ echo
+ echo " \$ su -"
+ echo " # semanage login -d `whoami`"
+ echo
+ echo "Or, add a setting to login as unconfined_t domain"
+ echo
+ echo " \$ su -"
+ echo " # semanage login -a -s unconfined_u -r s0-s0:c0.c255 `whoami`"
+ echo
+ exit 1
+fi
+echo "ok"
+
+#
+# Test.2 - 'runcon' must exist and be executable
+#
+echo -n "test runon command ... "
+
+CMD_RUNCON="`which runcon 2>/dev/null`"
+if [ ! -x "${CMD_RUNCON}" ]; then
+ echo "failed"
+ echo
+ echo "The runcon must exist and be executable; it is internally used to"
+ echo "launch psql command with a particular domain. It is mostly included"
+ echo "within coreutils package. So, our suggestion is to install the latest"
+ echo "version of this package."
+ echo
+ exit 1
+fi
+echo "ok"
+
+#
+# Test.3 - 'sestatus' must exist and be executable
+#
+echo -n "test sestatus command ... "
+
+CMD_SESTATUS="`which sestatus 2>/dev/null`"
+if [ ! -x "${CMD_SESTATUS}" ]; then
+ echo "failed"
+ echo
+ echo "The sestatus should exist and be executable; it is internally used to"
+ echo "this checks; to show configuration of SELinux. It is mostly included"
+ echo "within policycoreutils package. So, our suggestion is to install the"
+ echo "latest version of this package."
+ echo
+ exit 1
+fi
+echo "ok"
+
+#
+# Test.4 - 'getsebool' must exist and be executable
+#
+echo -n "test getsebool command ... "
+
+CMD_GETSEBOOL="`which getsebool`"
+if [ ! -x "${CMD_GETSEBOOL}" ]; then
+ echo "failed"
+ echo
+ echo "The getsebool should exist and be executable; it is internally used to"
+ echo "this checks; to show current setting of SELinux boolean variables."
+ echo "It is mostly included within libselinux-utils package. So, our suggestion"
+ echo "is to install the latest version of this package."
+ echo
+ exit 1
+fi
+echo "ok"
+
+#
+# Test.5 - SELinux must be configured to enforcing mode
+#
+echo -n "test enforcing mode ... "
+
+CURRENT_MODE=`env LANG=C ${CMD_SESTATUS} | grep 'Current mode:' | awk '{print $3}'`
+if [ "${CURRENT_MODE}" != "enforcing" ]; then
+ echo "failed"
+ echo
+ echo "SELinux must be configured to 'enforcing' mode."
+ echo "You can switch SELinux to enforcing mode using setenforce command,"
+ echo "as follows:"
+ echo
+ echo " \$ su -"
+ echo " # setenforce 1"
+ echo
+ echo "The system default setting is configured at /etc/selinux/config,"
+ echo "or kernel bool parameter. Please also check it, if you see this"
+ echo "message although you didn't switch to permissive mode."
+ echo
+ exit 1
+fi
+echo "ok"
+
+#
+# Test.6 - 'sepgsql-regtest' policy module must be loaded
+#
+echo -n "test sepgsql-regtest policy ... "
+
+SELINUX_MNT=`env LANG=C ${CMD_SESTATUS} | grep '^SELinuxfs mount:' | awk '{print $3}'`
+if [ ! -e ${SELINUX_MNT}/booleans/sepgsql_regression_test_mode ]; then
+ echo "failed"
+ echo
+ echo "The 'sepgsql-regtest' policy module must be installed; that provide"
+ echo "a set of special rules for this regression test."
+ echo "You can install this module as follows:"
+ echo
+ echo " \$ make -f /usr/share/selinux/devel/Makefile -C contrib/selinux"
+ echo " \$ su"
+ echo " # semodule -i contrib/sepgsql/sepgsql-regtest.pp"
+ echo
+ echo "Then, you can confirm the policy package being installed, as follows:"
+ echo
+ echo " # semodule -l | grep sepgsql"
+ echo
+ exit 1
+fi
+echo "ok"
+
+#
+# Test.7 - 'sepgsql_regression_test_mode' must be turned on
+#
+echo -n "test selinux boolean ... "
+
+if ! ${CMD_GETSEBOOL} sepgsql_regression_test_mode | grep -q ' on$'; then
+ echo "failed"
+ echo
+ echo "The boolean variable of 'sepgsql_regression_test_mode' must be"
+ echo "turned. It affects an internal state of SELinux policy, then"
+ echo "a set of rules to run regression test will be activated."
+ echo "You can turn on this variable as follows:"
+ echo
+ echo " \$ su -"
+ echo " # setsebool sepgsql_regression_test_mode 1"
+ echo
+ echo "Also note that we recommend to turn off this variable after the"
+ echo "regression test, because it activates unnecessary rules."
+ echo
+ exit 1
+fi
+echo "ok"
+
+#
+# Test.8 - 'psql' command must be labeled as 'bin_t' type
+#
+echo -n "test label of psql ... "
+
+CMD_PSQL="${PG_BINDIR}/psql"
+LABEL_PSQL=`stat -c '%C' ${CMD_PSQL} | sed 's/:/ /g' | awk '{print $3}'`
+if [ "${LABEL_PSQL}" != "bin_t" ]; then
+ echo "failed"
+ echo
+ echo "The ${CMD_PSQL} must be labeled as bin_t type."
+ echo "You can assign right label using restorecon, as follows:"
+ echo
+ echo " \$ su - (not needed, if you owns installation directory)"
+ echo " # restorecon -R ${PG_BINDIR}"
+ echo
+ echo "Or, using chcon"
+ echo
+ echo " # chcon -t bin_t ${CMD_PSQL}"
+ echo
+ exit 1
+fi
+echo "ok"
+
+#
+# Test.9 - 'sepgsql' must be installed
+# and, not configured to permissive mode
+#
+echo -n "test sepgsql installation ... "
+
+VAL="`${CMD_PSQL} template1 -tc 'SHOW sepgsql.permissive' 2>/dev/null`"
+RETVAL="$?"
+if [ $RETVAL -eq 2 ]; then
+ echo "failed"
+ echo
+ echo "The postgresql server process is not connectable."
+ echo "Please check your installation first, rather than selinux settings."
+ echo
+ exit 1
+elif [ $RETVAL -ne 0 ]; then
+ echo "failed"
+ echo
+ echo "The sepgsql module was not loaded. So, our recommendation is to"
+ echo "confirm 'shared_preload_libraries' setting in postgresql.conf,"
+ echo "then restart server process."
+ echo "It must have '\$libdir/sepgsql' at least."
+ echo
+ exit 1
+elif ! echo "$VAL" | grep -q 'off$'; then
+ echo "failed"
+ echo
+ echo "The GUC variable 'sepgsql.permissive' was set to 'on', although"
+ echo "system configuration is enforcing mode."
+ echo "You should eliminate this setting from postgresql.conf, then"
+ echo "restart server process."
+ echo
+ exit 1
+fi
+echo "ok"
+
+#
+# Test.10 - 'template1' database must be labeled
+#
+echo -n "test template1 database ... "
+
+NUM=`${CMD_PSQL} template1 -tc 'SELECT count(*) FROM pg_catalog.pg_seclabel' 2>/dev/null`
+if [ -z "${NUM}" -o "$NUM" -eq 0 ]; then
+ echo "failed!"
+ echo
+ echo "Initial labels must be assigned on the 'template1' database; that shall"
+ echo "be copied to the database for regression test."
+ echo "See Installation section of the PostgreSQL documentation."
+ echo
+ exit 1
+fi
+echo "ok"
+
+#
+# check complete -
+#
+echo
+exit 0
diff --git a/src/makefiles/pgxs.mk b/src/makefiles/pgxs.mk
index 05ed841..cb4dc97 100644
--- a/src/makefiles/pgxs.mk
+++ b/src/makefiles/pgxs.mk
@@ -257,7 +257,7 @@ ifndef PGXS
endif
# against installed postmaster
-installcheck: submake
+installcheck: submake $(REGRESS_PREP)
$(pg_regress_installcheck) $(REGRESS_OPTS) $(REGRESS)
ifdef PGXS
@@ -265,7 +265,7 @@ check:
@echo '"$(MAKE) check" is not supported.'
@echo 'Do "$(MAKE) install", then "$(MAKE) installcheck" instead.'
else
-check: all submake
+check: all submake $(REGRESS_PREP)
$(pg_regress_check) --extra-install=$(subdir) $(REGRESS_OPTS) $(REGRESS)
endif
endif # REGRESS
On Mon, Jul 25, 2011 at 4:36 AM, Kohei KaiGai <kaigai@kaigai.gr.jp> wrote:
The attached patch enables to check prerequisites to run regression
test of sepgsql module.
It adds a dependency to installcheck that allows us to launch
a script to check environment of operating system.
Committed.
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company