sepgsql: label regression test failed
Hi
I've tried to test postgres 9.3.2 and 9.4devel with selinux on Fedora 20
and met with a label regression test failure.
PS
I've got some warning during build process.
--
Best regards,
Sergey Muraviov
Attachments:
regression.diffsapplication/octet-stream; name=regression.diffsDownload
*** /home/postgres/postgresql-9.3.2/contrib/sepgsql/expected/label.out 2013-12-03 00:57:48.000000000 +0400
--- /home/postgres/postgresql-9.3.2/contrib/sepgsql/results/label.out 2013-12-18 16:18:45.279277035 +0400
***************
*** 85,106 ****
WHERE provider = 'selinux' AND objtype = 'column' AND (objname like 't3.%' OR objname like 't4.%');
objtype | objname | label
---------+-------------+-----------------------------------------------
- column | t3.t | unconfined_u:object_r:user_sepgsql_table_t:s0
- column | t3.s | unconfined_u:object_r:user_sepgsql_table_t:s0
- column | t3.ctid | unconfined_u:object_r:user_sepgsql_table_t:s0
- column | t3.xmin | unconfined_u:object_r:user_sepgsql_table_t:s0
- column | t3.cmin | unconfined_u:object_r:user_sepgsql_table_t:s0
- column | t3.xmax | unconfined_u:object_r:user_sepgsql_table_t:s0
- column | t3.cmax | unconfined_u:object_r:user_sepgsql_table_t:s0
column | t3.tableoid | unconfined_u:object_r:user_sepgsql_table_t:s0
! column | t4.n | unconfined_u:object_r:sepgsql_table_t:s0
! column | t4.m | unconfined_u:object_r:sepgsql_table_t:s0
! column | t4.ctid | unconfined_u:object_r:sepgsql_sysobj_t:s0
! column | t4.xmin | unconfined_u:object_r:sepgsql_sysobj_t:s0
! column | t4.cmin | unconfined_u:object_r:sepgsql_sysobj_t:s0
! column | t4.xmax | unconfined_u:object_r:sepgsql_sysobj_t:s0
! column | t4.cmax | unconfined_u:object_r:sepgsql_sysobj_t:s0
column | t4.tableoid | unconfined_u:object_r:sepgsql_sysobj_t:s0
(16 rows)
--
--- 85,106 ----
WHERE provider = 'selinux' AND objtype = 'column' AND (objname like 't3.%' OR objname like 't4.%');
objtype | objname | label
---------+-------------+-----------------------------------------------
column | t3.tableoid | unconfined_u:object_r:user_sepgsql_table_t:s0
! column | t3.cmax | unconfined_u:object_r:user_sepgsql_table_t:s0
! column | t3.xmax | unconfined_u:object_r:user_sepgsql_table_t:s0
! column | t3.cmin | unconfined_u:object_r:user_sepgsql_table_t:s0
! column | t3.xmin | unconfined_u:object_r:user_sepgsql_table_t:s0
! column | t3.ctid | unconfined_u:object_r:user_sepgsql_table_t:s0
! column | t3.s | unconfined_u:object_r:user_sepgsql_table_t:s0
! column | t3.t | unconfined_u:object_r:user_sepgsql_table_t:s0
column | t4.tableoid | unconfined_u:object_r:sepgsql_sysobj_t:s0
+ column | t4.cmax | unconfined_u:object_r:sepgsql_sysobj_t:s0
+ column | t4.xmax | unconfined_u:object_r:sepgsql_sysobj_t:s0
+ column | t4.cmin | unconfined_u:object_r:sepgsql_sysobj_t:s0
+ column | t4.xmin | unconfined_u:object_r:sepgsql_sysobj_t:s0
+ column | t4.ctid | unconfined_u:object_r:sepgsql_sysobj_t:s0
+ column | t4.m | unconfined_u:object_r:sepgsql_table_t:s0
+ column | t4.n | unconfined_u:object_r:sepgsql_table_t:s0
(16 rows)
--
***************
*** 193,203 ****
(1 row)
SELECT sepgsql_setcon(NULL); -- failed to reset
! ERROR: SELinux: security policy violation
SELECT sepgsql_getcon();
sepgsql_getcon
--------------------------------------------------
! unconfined_u:unconfined_r:unconfined_t:s0:c0.c15
(1 row)
BEGIN;
--- 193,207 ----
(1 row)
SELECT sepgsql_setcon(NULL); -- failed to reset
! sepgsql_setcon
! ----------------
! t
! (1 row)
!
SELECT sepgsql_getcon();
sepgsql_getcon
--------------------------------------------------
! unconfined_u:unconfined_r:unconfined_t:s0:c0.c25
(1 row)
BEGIN;
***************
*** 270,276 ****
SELECT sepgsql_getcon(); -- should be 's0:c0.c15'
sepgsql_getcon
--------------------------------------------------
! unconfined_u:unconfined_r:unconfined_t:s0:c0.c15
(1 row)
BEGIN;
--- 274,280 ----
SELECT sepgsql_getcon(); -- should be 's0:c0.c15'
sepgsql_getcon
--------------------------------------------------
! unconfined_u:unconfined_r:unconfined_t:s0:c0.c25
(1 row)
BEGIN;
***************
*** 350,370 ****
(1 row)
SELECT f5('unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0:c0.c31'); -- Failed
! ERROR: SELinux: security policy violation
! CONTEXT: SQL function "f5" statement 1
SELECT sepgsql_getcon();
! sepgsql_getcon
! -----------------------------------------------------------
! unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0:c0.c7
(1 row)
SELECT f5(NULL); -- Failed
! ERROR: SELinux: security policy violation
! CONTEXT: SQL function "f5" statement 1
SELECT sepgsql_getcon();
! sepgsql_getcon
! -----------------------------------------------------------
! unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0:c0.c7
(1 row)
BEGIN;
--- 354,380 ----
(1 row)
SELECT f5('unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0:c0.c31'); -- Failed
! f5
! ----
! t
! (1 row)
!
SELECT sepgsql_getcon();
! sepgsql_getcon
! ------------------------------------------------------------
! unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0:c0.c31
(1 row)
SELECT f5(NULL); -- Failed
! f5
! ----
! t
! (1 row)
!
SELECT sepgsql_getcon();
! sepgsql_getcon
! ------------------------------------------------------------
! unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0:c0.c15
(1 row)
BEGIN;
***************
*** 382,390 ****
ABORT;
SELECT sepgsql_getcon();
! sepgsql_getcon
! -----------------------------------------------------------
! unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0:c0.c7
(1 row)
--
--- 392,400 ----
ABORT;
SELECT sepgsql_getcon();
! sepgsql_getcon
! ------------------------------------------------------------
! unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0:c0.c15
(1 row)
--
======================================================================
Could you show me semodule -l on your environment?
I believe security policy has not been changed between F19 and F20...
Thanks,
2013/12/18 Sergey Muraviov <sergey.k.muraviov@gmail.com>:
Hi
I've tried to test postgres 9.3.2 and 9.4devel with selinux on Fedora 20 and
met with a label regression test failure.PS
I've got some warning during build process.--
Best regards,
Sergey Muraviov--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
--
KaiGai Kohei <kaigai@kaigai.gr.jp>
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
# semodule -l | grep sepgslq
sepgsql-regtest 1.07
Full list of modules is in attachment.
2013/12/18 Kohei KaiGai <kaigai@kaigai.gr.jp>
Could you show me semodule -l on your environment?
I believe security policy has not been changed between F19 and F20...Thanks,
2013/12/18 Sergey Muraviov <sergey.k.muraviov@gmail.com>:
Hi
I've tried to test postgres 9.3.2 and 9.4devel with selinux on Fedora 20
and
met with a label regression test failure.
PS
I've got some warning during build process.--
Best regards,
Sergey Muraviov--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers--
KaiGai Kohei <kaigai@kaigai.gr.jp>
--
Best regards,
Sergey Muraviov
Attachments:
Hello,
It seems to me changes in the base security policy on Fedora affected to
the regression test. Our test cases for sepgsql_setcon() utilizes the MCS
rules, that prevents domain transition from narrow categories to wider ones,
to control the success cases and failure cases.
However, its coverage was changed. It was applied all the domains in the
system, thus "unconfined_t" domain had been enforced by MCS rules.
But now, it shall be applied only domains with "mcs_constrained_type"
attribute.
[kaigai@vmlinux tmp]$ diff -up old/policy/mcs new/policy/mcs
:
<snip>
:
mlsconstrain process { transition dyntransition }
- (( h1 dom h2 ) or ( t1 == mcssetcats ));
+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));Probably, we need to define a domain by ourselves for regression test to ensure
the test stability, not using the system "unconfined" domain that has different
meaning by release.
I'll make a patch. Please wait for a while.
Thanks for your test & reports.
2013/12/18 Sergey Muraviov <sergey.k.muraviov@gmail.com>:
# semodule -l | grep sepgslq
sepgsql-regtest 1.07Full list of modules is in attachment.
2013/12/18 Kohei KaiGai <kaigai@kaigai.gr.jp>
Could you show me semodule -l on your environment?
I believe security policy has not been changed between F19 and F20...Thanks,
2013/12/18 Sergey Muraviov <sergey.k.muraviov@gmail.com>:
Hi
I've tried to test postgres 9.3.2 and 9.4devel with selinux on Fedora 20
and
met with a label regression test failure.PS
I've got some warning during build process.--
Best regards,
Sergey Muraviov--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers--
KaiGai Kohei <kaigai@kaigai.gr.jp>--
Best regards,
Sergey Muraviov
--
KaiGai Kohei <kaigai@kaigai.gr.jp>
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
Hi.
Some regression tests for sepgsql still not work on Fedora 20:
============== running regression test queries ==============
test label ... FAILED
test dml ... ok
test ddl ... FAILED
test alter ... FAILED
test misc ... ok
======================
3 of 5 tests failed.
======================
$ sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 29
$ uname -i -o -r
3.14.3-200.fc20.x86_64 x86_64 GNU/Linux
$ /usr/local/pgsql/bin/postgres --version
postgres (PostgreSQL) 9.4beta1
PS
I've got this compiler warning:
relation.c: In function ‘sepgsql_relation_drop’:
relation.c:472:25: warning: ‘tclass’ may be used uninitialized in this
function [-Wmaybe-uninitialized]
sepgsql_avc_check_perms(&object,
^
2013-12-25 0:34 GMT+04:00 Kohei KaiGai <kaigai@kaigai.gr.jp>:
Hello,
It seems to me changes in the base security policy on Fedora affected to
the regression test. Our test cases for sepgsql_setcon() utilizes the MCS
rules, that prevents domain transition from narrow categories to wider
ones,
to control the success cases and failure cases.However, its coverage was changed. It was applied all the domains in the
system, thus "unconfined_t" domain had been enforced by MCS rules.
But now, it shall be applied only domains with "mcs_constrained_type"
attribute.[kaigai@vmlinux tmp]$ diff -up old/policy/mcs new/policy/mcs : <snip> : mlsconstrain process { transition dyntransition } - (( h1 dom h2 ) or ( t1 == mcssetcats )); + (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));Probably, we need to define a domain by ourselves for regression test to
ensure
the test stability, not using the system "unconfined" domain that has
different
meaning by release.I'll make a patch. Please wait for a while.
Thanks for your test & reports.
2013/12/18 Sergey Muraviov <sergey.k.muraviov@gmail.com>:
# semodule -l | grep sepgslq
sepgsql-regtest 1.07Full list of modules is in attachment.
2013/12/18 Kohei KaiGai <kaigai@kaigai.gr.jp>
Could you show me semodule -l on your environment?
I believe security policy has not been changed between F19 and F20...Thanks,
2013/12/18 Sergey Muraviov <sergey.k.muraviov@gmail.com>:
Hi
I've tried to test postgres 9.3.2 and 9.4devel with selinux on Fedora
20
and
met with a label regression test failure.PS
I've got some warning during build process.--
Best regards,
Sergey Muraviov--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers--
KaiGai Kohei <kaigai@kaigai.gr.jp>--
Best regards,
Sergey Muraviov--
KaiGai Kohei <kaigai@kaigai.gr.jp>
--
Best regards,
Sergey Muraviov
Attachments:
regression.diffsapplication/octet-stream; name=regression.diffsDownload
*** /home/muraviov/git/postgresql/contrib/sepgsql/expected/label.out 2014-05-12 20:52:35.116035803 +0400
--- /home/muraviov/git/postgresql/contrib/sepgsql/results/label.out 2014-05-14 08:06:35.991033891 +0400
***************
*** 193,203 ****
(1 row)
SELECT sepgsql_setcon(NULL); -- failed to reset
! ERROR: SELinux: security policy violation
SELECT sepgsql_getcon();
sepgsql_getcon
--------------------------------------------------
! unconfined_u:unconfined_r:unconfined_t:s0:c0.c15
(1 row)
BEGIN;
--- 193,207 ----
(1 row)
SELECT sepgsql_setcon(NULL); -- failed to reset
! sepgsql_setcon
! ----------------
! t
! (1 row)
!
SELECT sepgsql_getcon();
sepgsql_getcon
--------------------------------------------------
! unconfined_u:unconfined_r:unconfined_t:s0:c0.c25
(1 row)
BEGIN;
***************
*** 270,276 ****
SELECT sepgsql_getcon(); -- should be 's0:c0.c15'
sepgsql_getcon
--------------------------------------------------
! unconfined_u:unconfined_r:unconfined_t:s0:c0.c15
(1 row)
BEGIN;
--- 274,280 ----
SELECT sepgsql_getcon(); -- should be 's0:c0.c15'
sepgsql_getcon
--------------------------------------------------
! unconfined_u:unconfined_r:unconfined_t:s0:c0.c25
(1 row)
BEGIN;
***************
*** 350,370 ****
(1 row)
SELECT f5('unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0:c0.c31'); -- Failed
! ERROR: SELinux: security policy violation
! CONTEXT: SQL function "f5" statement 1
SELECT sepgsql_getcon();
! sepgsql_getcon
! -----------------------------------------------------------
! unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0:c0.c7
(1 row)
SELECT f5(NULL); -- Failed
! ERROR: SELinux: security policy violation
! CONTEXT: SQL function "f5" statement 1
SELECT sepgsql_getcon();
! sepgsql_getcon
! -----------------------------------------------------------
! unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0:c0.c7
(1 row)
BEGIN;
--- 354,380 ----
(1 row)
SELECT f5('unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0:c0.c31'); -- Failed
! f5
! ----
! t
! (1 row)
!
SELECT sepgsql_getcon();
! sepgsql_getcon
! ------------------------------------------------------------
! unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0:c0.c31
(1 row)
SELECT f5(NULL); -- Failed
! f5
! ----
! t
! (1 row)
!
SELECT sepgsql_getcon();
! sepgsql_getcon
! ------------------------------------------------------------
! unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0:c0.c15
(1 row)
BEGIN;
***************
*** 382,390 ****
ABORT;
SELECT sepgsql_getcon();
! sepgsql_getcon
! -----------------------------------------------------------
! unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0:c0.c7
(1 row)
--
--- 392,400 ----
ABORT;
SELECT sepgsql_getcon();
! sepgsql_getcon
! ------------------------------------------------------------
! unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0:c0.c15
(1 row)
--
======================================================================
*** /home/muraviov/git/postgresql/contrib/sepgsql/expected/ddl.out 2014-05-12 20:52:35.116035803 +0400
--- /home/muraviov/git/postgresql/contrib/sepgsql/results/ddl.out 2014-05-14 08:06:42.859801632 +0400
***************
*** 46,56 ****
LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema"
LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="pg_catalog"
LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema"
- LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema"
- LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema"
- LINE 1: CREATE TABLE regtest_table (x serial primary key, y text);
- ^
- LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema"
LOG: SELinux: allowed { add_name } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema"
LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="regtest_schema.regtest_table"
LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema"
--- 46,51 ----
***************
*** 156,166 ****
LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_table_4.y"
LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_table_4.z"
LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema"
- LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema"
- LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema"
- LINE 1: CREATE TABLE regtest_table_4 (x int primary key, y int, z in...
- ^
- LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema"
LOG: SELinux: allowed { add_name } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema"
LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="regtest_schema.regtest_table_4"
CREATE INDEX regtest_index_tbl4_y ON regtest_table_4(y);
--- 151,156 ----
======================================================================
*** /home/muraviov/git/postgresql/contrib/sepgsql/expected/alter.out 2014-05-12 20:52:35.115035838 +0400
--- /home/muraviov/git/postgresql/contrib/sepgsql/results/alter.out 2014-05-14 08:06:46.991661904 +0400
***************
*** 143,155 ****
LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema_2.regtest_table.b"
LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_table_2.b"
ALTER TABLE regtest_table ADD CONSTRAINT test_fk FOREIGN KEY (a) REFERENCES regtest_table_3(x); -- not supported
- LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema_2"
LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="pg_catalog"
- LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema_2"
LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="pg_catalog"
- LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema_2"
LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="pg_catalog"
- LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema_2"
LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="pg_catalog"
LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="regtest_schema_2.regtest_table"
LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table regtest_table column a"
--- 143,151 ----
======================================================================
Sorry, I've forgotten the report.
The test fails on label test come from specification change in the mcs policy.
Previously, it was applied to all the domains including unconfined_t, but now,
it became to be applied on the domain with "mcsconstrained" attribute.
This regression test run sepgsql_seton() on the system "unconfined_t" domain,
and see the behavior when process intended to move wider or narrower ranged
categories, so it was affected by system policy change, even though it is our
intention of sepgsql.
The attached patch adds "mcsconstrained" attribute on the domain for this
regression test, if this attribute exists. So, it will work on both of F20 and
older system.
Regarding to the regression test on ddl and alter, this change looks to me
hook invocation around recomputeNamespacePath() were gone, because
the schema already allowed to search was already checked.
Is the behavior around recomputeNamespacePath() recently updated?
At least, it is not a matter since {search} permission towards
"regtest_schema_2" is checked in this test scenario.
Thanks,
2014-05-14 13:33 GMT+09:00 Sergey Muraviov <sergey.k.muraviov@gmail.com>:
Hi.
Some regression tests for sepgsql still not work on Fedora 20:
============== running regression test queries ==============
test label ... FAILED
test dml ... ok
test ddl ... FAILED
test alter ... FAILED
test misc ... ok======================
3 of 5 tests failed.
======================$ sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 29$ uname -i -o -r
3.14.3-200.fc20.x86_64 x86_64 GNU/Linux$ /usr/local/pgsql/bin/postgres --version
postgres (PostgreSQL) 9.4beta1PS
I've got this compiler warning:
relation.c: In function ‘sepgsql_relation_drop’:
relation.c:472:25: warning: ‘tclass’ may be used uninitialized in this
function [-Wmaybe-uninitialized]
sepgsql_avc_check_perms(&object,
^2013-12-25 0:34 GMT+04:00 Kohei KaiGai <kaigai@kaigai.gr.jp>:
Hello,
It seems to me changes in the base security policy on Fedora affected to
the regression test. Our test cases for sepgsql_setcon() utilizes the MCS
rules, that prevents domain transition from narrow categories to wider
ones,
to control the success cases and failure cases.However, its coverage was changed. It was applied all the domains in the
system, thus "unconfined_t" domain had been enforced by MCS rules.
But now, it shall be applied only domains with "mcs_constrained_type"
attribute.[kaigai@vmlinux tmp]$ diff -up old/policy/mcs new/policy/mcs : <snip> : mlsconstrain process { transition dyntransition } - (( h1 dom h2 ) or ( t1 == mcssetcats )); + (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));Probably, we need to define a domain by ourselves for regression test to
ensure
the test stability, not using the system "unconfined" domain that has
different
meaning by release.I'll make a patch. Please wait for a while.
Thanks for your test & reports.
2013/12/18 Sergey Muraviov <sergey.k.muraviov@gmail.com>:
# semodule -l | grep sepgslq
sepgsql-regtest 1.07Full list of modules is in attachment.
2013/12/18 Kohei KaiGai <kaigai@kaigai.gr.jp>
Could you show me semodule -l on your environment?
I believe security policy has not been changed between F19 and F20...Thanks,
2013/12/18 Sergey Muraviov <sergey.k.muraviov@gmail.com>:
Hi
I've tried to test postgres 9.3.2 and 9.4devel with selinux on Fedora
20
and
met with a label regression test failure.PS
I've got some warning during build process.--
Best regards,
Sergey Muraviov--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers--
KaiGai Kohei <kaigai@kaigai.gr.jp>--
Best regards,
Sergey Muraviov--
KaiGai Kohei <kaigai@kaigai.gr.jp>--
Best regards,
Sergey Muraviov
--
KaiGai Kohei <kaigai@kaigai.gr.jp>
Attachments:
sepgsql-fixup-regtest-policy.patchapplication/octet-stream; name=sepgsql-fixup-regtest-policy.patchDownload
contrib/sepgsql/expected/alter.out | 4 --
contrib/sepgsql/expected/ddl.out | 10 ----
contrib/sepgsql/expected/label.out | 100 ++++++++++++++++++-------------------
contrib/sepgsql/sepgsql-regtest.te | 11 ++--
contrib/sepgsql/sql/label.sql | 18 +++----
5 files changed, 67 insertions(+), 76 deletions(-)
diff --git a/contrib/sepgsql/expected/alter.out b/contrib/sepgsql/expected/alter.out
index 124f862..79c3391 100644
--- a/contrib/sepgsql/expected/alter.out
+++ b/contrib/sepgsql/expected/alter.out
@@ -143,13 +143,9 @@ ALTER TABLE regtest_table ALTER b SET STORAGE PLAIN;
LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema_2.regtest_table.b"
LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_table_2.b"
ALTER TABLE regtest_table ADD CONSTRAINT test_fk FOREIGN KEY (a) REFERENCES regtest_table_3(x); -- not supported
-LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema_2"
LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="pg_catalog"
-LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema_2"
LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="pg_catalog"
-LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema_2"
LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="pg_catalog"
-LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema_2"
LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="pg_catalog"
LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="regtest_schema_2.regtest_table"
LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table regtest_table column a"
diff --git a/contrib/sepgsql/expected/ddl.out b/contrib/sepgsql/expected/ddl.out
index 08cd6d5..a94e0e3 100644
--- a/contrib/sepgsql/expected/ddl.out
+++ b/contrib/sepgsql/expected/ddl.out
@@ -46,11 +46,6 @@ LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:unconfined_
LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema"
LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="pg_catalog"
LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema"
-LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema"
-LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema"
-LINE 1: CREATE TABLE regtest_table (x serial primary key, y text);
- ^
-LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema"
LOG: SELinux: allowed { add_name } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema"
LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="regtest_schema.regtest_table"
LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema"
@@ -156,11 +151,6 @@ LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:unconfined_
LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_table_4.y"
LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_table_4.z"
LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema"
-LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema"
-LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema"
-LINE 1: CREATE TABLE regtest_table_4 (x int primary key, y int, z in...
- ^
-LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema"
LOG: SELinux: allowed { add_name } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema"
LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="regtest_schema.regtest_table_4"
CREATE INDEX regtest_index_tbl4_y ON regtest_table_4(y);
diff --git a/contrib/sepgsql/expected/label.out b/contrib/sepgsql/expected/label.out
index 9d1f904..8d0b60a 100644
--- a/contrib/sepgsql/expected/label.out
+++ b/contrib/sepgsql/expected/label.out
@@ -175,138 +175,138 @@ LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_re
--
-- validation of transaction aware dynamic-transition
SELECT sepgsql_getcon(); -- confirm client privilege
- sepgsql_getcon
---------------------------------------------------
- unconfined_u:unconfined_r:unconfined_t:s0:c0.c25
+ sepgsql_getcon
+-----------------------------------------------------------
+ unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c25
(1 row)
-SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c15');
+SELECT sepgsql_setcon('unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c15');
sepgsql_setcon
----------------
t
(1 row)
SELECT sepgsql_getcon();
- sepgsql_getcon
---------------------------------------------------
- unconfined_u:unconfined_r:unconfined_t:s0:c0.c15
+ sepgsql_getcon
+-----------------------------------------------------------
+ unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c15
(1 row)
SELECT sepgsql_setcon(NULL); -- failed to reset
ERROR: SELinux: security policy violation
SELECT sepgsql_getcon();
- sepgsql_getcon
---------------------------------------------------
- unconfined_u:unconfined_r:unconfined_t:s0:c0.c15
+ sepgsql_getcon
+-----------------------------------------------------------
+ unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c15
(1 row)
BEGIN;
-SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c12');
+SELECT sepgsql_setcon('unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c12');
sepgsql_setcon
----------------
t
(1 row)
SELECT sepgsql_getcon();
- sepgsql_getcon
---------------------------------------------------
- unconfined_u:unconfined_r:unconfined_t:s0:c0.c12
+ sepgsql_getcon
+-----------------------------------------------------------
+ unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c12
(1 row)
SAVEPOINT svpt_1;
-SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c9');
+SELECT sepgsql_setcon('unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c9');
sepgsql_setcon
----------------
t
(1 row)
SELECT sepgsql_getcon();
- sepgsql_getcon
--------------------------------------------------
- unconfined_u:unconfined_r:unconfined_t:s0:c0.c9
+ sepgsql_getcon
+----------------------------------------------------------
+ unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c9
(1 row)
SAVEPOINT svpt_2;
-SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c6');
+SELECT sepgsql_setcon('unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c6');
sepgsql_setcon
----------------
t
(1 row)
SELECT sepgsql_getcon();
- sepgsql_getcon
--------------------------------------------------
- unconfined_u:unconfined_r:unconfined_t:s0:c0.c6
+ sepgsql_getcon
+----------------------------------------------------------
+ unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c6
(1 row)
SAVEPOINT svpt_3;
-SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c3');
+SELECT sepgsql_setcon('unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c3');
sepgsql_setcon
----------------
t
(1 row)
SELECT sepgsql_getcon();
- sepgsql_getcon
--------------------------------------------------
- unconfined_u:unconfined_r:unconfined_t:s0:c0.c3
+ sepgsql_getcon
+----------------------------------------------------------
+ unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c3
(1 row)
ROLLBACK TO SAVEPOINT svpt_2;
SELECT sepgsql_getcon(); -- should be 's0:c0.c9'
- sepgsql_getcon
--------------------------------------------------
- unconfined_u:unconfined_r:unconfined_t:s0:c0.c9
+ sepgsql_getcon
+----------------------------------------------------------
+ unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c9
(1 row)
ROLLBACK TO SAVEPOINT svpt_1;
SELECT sepgsql_getcon(); -- should be 's0:c0.c12'
- sepgsql_getcon
---------------------------------------------------
- unconfined_u:unconfined_r:unconfined_t:s0:c0.c12
+ sepgsql_getcon
+-----------------------------------------------------------
+ unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c12
(1 row)
ABORT;
SELECT sepgsql_getcon(); -- should be 's0:c0.c15'
- sepgsql_getcon
---------------------------------------------------
- unconfined_u:unconfined_r:unconfined_t:s0:c0.c15
+ sepgsql_getcon
+-----------------------------------------------------------
+ unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c15
(1 row)
BEGIN;
-SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c8');
+SELECT sepgsql_setcon('unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c8');
sepgsql_setcon
----------------
t
(1 row)
SELECT sepgsql_getcon();
- sepgsql_getcon
--------------------------------------------------
- unconfined_u:unconfined_r:unconfined_t:s0:c0.c8
+ sepgsql_getcon
+----------------------------------------------------------
+ unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c8
(1 row)
SAVEPOINT svpt_1;
-SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c4');
+SELECT sepgsql_setcon('unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c4');
sepgsql_setcon
----------------
t
(1 row)
SELECT sepgsql_getcon();
- sepgsql_getcon
--------------------------------------------------
- unconfined_u:unconfined_r:unconfined_t:s0:c0.c4
+ sepgsql_getcon
+----------------------------------------------------------
+ unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c4
(1 row)
ROLLBACK TO SAVEPOINT svpt_1;
SELECT sepgsql_getcon(); -- should be 's0:c0.c8'
- sepgsql_getcon
--------------------------------------------------
- unconfined_u:unconfined_r:unconfined_t:s0:c0.c8
+ sepgsql_getcon
+----------------------------------------------------------
+ unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c8
(1 row)
-SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c6');
+SELECT sepgsql_setcon('unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c6');
sepgsql_setcon
----------------
t
@@ -314,9 +314,9 @@ SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c6');
COMMIT;
SELECT sepgsql_getcon(); -- should be 's0:c0.c6'
- sepgsql_getcon
--------------------------------------------------
- unconfined_u:unconfined_r:unconfined_t:s0:c0.c6
+ sepgsql_getcon
+----------------------------------------------------------
+ unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c6
(1 row)
-- sepgsql_regtest_user_t is not available dynamic-transition,
diff --git a/contrib/sepgsql/sepgsql-regtest.te b/contrib/sepgsql/sepgsql-regtest.te
index 8727523..244a40a 100644
--- a/contrib/sepgsql/sepgsql-regtest.te
+++ b/contrib/sepgsql/sepgsql-regtest.te
@@ -1,4 +1,4 @@
-policy_module(sepgsql-regtest, 1.07)
+policy_module(sepgsql-regtest, 1.08)
gen_require(`
all_userspace_class_perms
@@ -39,9 +39,11 @@ optional_policy(`
unconfined_stream_connect(sepgsql_regtest_dba_t)
unconfined_rw_pipes(sepgsql_regtest_dba_t)
')
-
+optional_policy(`
+ mcs_constrained(sepgsql_regtest_dba_t)
+')
# Type transition rules
-allow sepgsql_regtest_dba_t self : process { setcurrent };
+allow sepgsql_regtest_dba_t self : process { setcurrent dyntransition };
allow sepgsql_regtest_dba_t sepgsql_regtest_user_t : process { dyntransition };
allow sepgsql_regtest_dba_t sepgsql_regtest_foo_t : process { dyntransition };
allow sepgsql_regtest_dba_t sepgsql_regtest_var_t : process { dyntransition };
@@ -77,6 +79,9 @@ optional_policy(`
unconfined_stream_connect(sepgsql_regtest_user_t)
unconfined_rw_pipes(sepgsql_regtest_user_t)
')
+optional_policy(`
+ mcs_constrained(sepgsql_regtest_user_t)
+')
# Type transition rules
allow sepgsql_regtest_user_t sepgsql_regtest_dba_t : process { transition };
type_transition sepgsql_regtest_user_t sepgsql_regtest_trusted_proc_exec_t:process sepgsql_regtest_dba_t;
diff --git a/contrib/sepgsql/sql/label.sql b/contrib/sepgsql/sql/label.sql
index 7a05c24..602852e 100644
--- a/contrib/sepgsql/sql/label.sql
+++ b/contrib/sepgsql/sql/label.sql
@@ -110,27 +110,27 @@ SELECT sepgsql_getcon(); -- client's label must be restored
--
-- validation of transaction aware dynamic-transition
--- @SECURITY-CONTEXT=unconfined_u:unconfined_r:unconfined_t:s0:c0.c25
-SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c15');
+-- @SECURITY-CONTEXT=unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c25
+SELECT sepgsql_setcon('unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c15');
SELECT sepgsql_getcon();
SELECT sepgsql_setcon(NULL); -- failed to reset
SELECT sepgsql_getcon();
BEGIN;
-SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c12');
+SELECT sepgsql_setcon('unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c12');
SELECT sepgsql_getcon();
SAVEPOINT svpt_1;
-SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c9');
+SELECT sepgsql_setcon('unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c9');
SELECT sepgsql_getcon();
SAVEPOINT svpt_2;
-SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c6');
+SELECT sepgsql_setcon('unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c6');
SELECT sepgsql_getcon();
SAVEPOINT svpt_3;
-SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c3');
+SELECT sepgsql_setcon('unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c3');
SELECT sepgsql_getcon();
ROLLBACK TO SAVEPOINT svpt_2;
@@ -143,16 +143,16 @@ ABORT;
SELECT sepgsql_getcon(); -- should be 's0:c0.c15'
BEGIN;
-SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c8');
+SELECT sepgsql_setcon('unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c8');
SELECT sepgsql_getcon();
SAVEPOINT svpt_1;
-SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c4');
+SELECT sepgsql_setcon('unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c4');
SELECT sepgsql_getcon();
ROLLBACK TO SAVEPOINT svpt_1;
SELECT sepgsql_getcon(); -- should be 's0:c0.c8'
-SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c6');
+SELECT sepgsql_setcon('unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c6');
COMMIT;
SELECT sepgsql_getcon(); -- should be 's0:c0.c6'
On 05/14/2014 07:33 AM, Sergey Muraviov wrote:
I've got this compiler warning:
relation.c: In function ‘sepgsql_relation_drop’:
relation.c:472:25: warning: ‘tclass’ may be used uninitialized in this
function [-Wmaybe-uninitialized]
sepgsql_avc_check_perms(&object,
^
KaiGei, could you take a look at this warning, too? It looks like a
genuine bug to me, but I'm not sure what we should do there instead.
- Heikki
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
2014-05-16 16:26 GMT+09:00 Heikki Linnakangas <hlinnakangas@vmware.com>:
On 05/14/2014 07:33 AM, Sergey Muraviov wrote:
I've got this compiler warning:
relation.c: In function ‘sepgsql_relation_drop’:
relation.c:472:25: warning: ‘tclass’ may be used uninitialized in this
function [-Wmaybe-uninitialized]
sepgsql_avc_check_perms(&object,
^KaiGei, could you take a look at this warning, too? It looks like a genuine
bug to me, but I'm not sure what we should do there instead.
This warning is harmless, because the code path that does not initialize
"tclass" variable (a case when dropped relation is index) never goes to
the code path that references "tclass".
It just checks schema's {remove_name} permission, then jumps to
another code path for index, never backed.
BTW, I could not produce this message in my environment with -Wall.
(Fedora 20, gcc-4.8.2). Is it a newer compiler's wisdom?
Thanks,
--
KaiGai Kohei <kaigai@kaigai.gr.jp>
Attachments:
sepgsql-fixup-maybe-uninitialized-warnning.patchapplication/octet-stream; name=sepgsql-fixup-maybe-uninitialized-warnning.patchDownload
diff --git a/contrib/sepgsql/relation.c b/contrib/sepgsql/relation.c
index 14c877e..ed64022 100644
--- a/contrib/sepgsql/relation.c
+++ b/contrib/sepgsql/relation.c
@@ -432,7 +432,12 @@ sepgsql_relation_drop(Oid relOid)
/* ignore indexes on toast tables */
if (get_rel_namespace(relOid) == PG_TOAST_NAMESPACE)
return;
- /* other indexes are handled specially below; no need for tclass */
+ /*
+ * deletion of index is treated as property update of the table
+ * being indexed, so no need to assign particular tclass here,
+ * but we put invalid one for compiler quite.
+ */
+ tclass = SEPG_CLASS_MAX;
break;
default:
/* ignore other relkinds */