contrib/sepgsql fails on Fedora 28
I tried to run the regression test for sepgsql on F28 (so I could
fix the now-obsolete expected-file therein). It fails at this
preparatory step:
$ sudo semodule -u sepgsql-regtest.pp
The --upgrade option is deprecated. Use --install instead.
neverallow check failed at /var/lib/selinux/targeted/tmp/modules/100/base/cil:4703
(neverallow base_typeattr_6 base_typeattr_7 (process (fork transition sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack execheap setkeycreate setsockcreate getrlimit)))
<root>
allow at /var/lib/selinux/targeted/tmp/modules/100/postgresql/cil:769
(allow sepgsql_client_type sepgsql_ranged_proc_t (process (transition)))
<root>
... lots more ...
optional at /var/lib/selinux/targeted/tmp/modules/400/sepgsql-regtest/cil:1617
optional at /var/lib/selinux/targeted/tmp/modules/400/sepgsql-regtest/cil:1676
allow at /var/lib/selinux/targeted/tmp/modules/400/sepgsql-regtest/cil:1679
(allow sepgsql_regtest_superuser_t sepgsql_client_type (process (dyntransition)))
Failed to generate binary
semodule: Failed!
For the moment I'll try an older Fedora release, but it seems
we have some work to do here.
regards, tom lane
On 05/24/2018 03:30 PM, Tom Lane wrote:
I tried to run the regression test for sepgsql on F28 (so I could
fix the now-obsolete expected-file therein). It fails at this
preparatory step:$ sudo semodule -u sepgsql-regtest.pp
The --upgrade option is deprecated. Use --install instead.
neverallow check failed at /var/lib/selinux/targeted/tmp/modules/100/base/cil:4703
(neverallow base_typeattr_6 base_typeattr_7 (process (fork transition sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack execheap setkeycreate setsockcreate getrlimit)))
<root>
allow at /var/lib/selinux/targeted/tmp/modules/100/postgresql/cil:769
(allow sepgsql_client_type sepgsql_ranged_proc_t (process (transition)))
<root>
... lots more ...
optional at /var/lib/selinux/targeted/tmp/modules/400/sepgsql-regtest/cil:1617
optional at /var/lib/selinux/targeted/tmp/modules/400/sepgsql-regtest/cil:1676
allow at /var/lib/selinux/targeted/tmp/modules/400/sepgsql-regtest/cil:1679
(allow sepgsql_regtest_superuser_t sepgsql_client_type (process (dyntransition)))Failed to generate binary
semodule: Failed>
For the moment I'll try an older Fedora release, but it seems
we have some work to do here.
For a bit of background on the issue, `neverallow` is intended to prevent
policy that would violate certain information flow security models.
This error appears to be due to an update to the userspace install tools,
which do the proper `neverallow` check that was previously not happening. It
appears that at least part of this fix needs to take place in the upstream
policy repo, but in the meantime I've attached a patch that should stop the
build errors.
This has not yet tested been on F27 and earlier. Since the error you were
seeing is a policy-install error and the policy updates are using interfaces
that were available pre-F28, it should not affect the outcome of the build. I
have also not yet run the regression tests with the change, but likewise, this
patch should not affect that.
I will go ahead and test the fix on other platforms and make sure the regtest
is passing, but this should solve the problem for now. Let me know if anything
else catches fire.
Thanks,
--
Mike Palmiotto
Software Engineer
Crunchy Data Solutions
https://crunchydata.com
Attachments:
0001-Fix-sepgsql-regression-tests-on-fedora28.patchtext/x-patch; name=0001-Fix-sepgsql-regression-tests-on-fedora28.patchDownload
From 778df9fa9421f420cfb53b7831338f9220713b09 Mon Sep 17 00:00:00 2001
From: Mike Palmiotto <mike.palmiotto@crunchydata.com>
Date: Thu, 24 May 2018 18:37:08 -0400
Subject: [PATCH] Fix sepgsql regression tests on fedora28
The sepgsql-regtest policy module fails to install on F28 after
neverallow fixes to libsepol. Add missing interface calls to local
module until the proper fixes are pushed to the upstream policy repo.
---
contrib/sepgsql/sepgsql-regtest.te | 21 ++++++++++++++++++++-
1 file changed, 20 insertions(+), 1 deletion(-)
diff --git a/contrib/sepgsql/sepgsql-regtest.te b/contrib/sepgsql/sepgsql-regtest.te
index e5d65243e6..bd34512609 100644
--- a/contrib/sepgsql/sepgsql-regtest.te
+++ b/contrib/sepgsql/sepgsql-regtest.te
@@ -28,6 +28,7 @@ postgresql_schema_object(sepgsql_regtest_invisible_schema_t);
#
role sepgsql_regtest_superuser_r;
userdom_base_user_template(sepgsql_regtest_superuser)
+domain_dyntrans_type(sepgsql_regtest_superuser_t)
userdom_manage_home_role(sepgsql_regtest_superuser_r, sepgsql_regtest_superuser_t)
userdom_exec_user_home_content_files(sepgsql_regtest_superuser_t)
userdom_write_user_tmp_sockets(sepgsql_regtest_superuser_t)
@@ -47,6 +48,14 @@ optional_policy(`
allow sepgsql_regtest_superuser_t { self sepgsql_client_type } : process { dyntransition };
')
+optional_policy(`
+ gen_require(`
+ type sepgsql_regtest_dba_t;
+ ')
+
+ domain_dyntrans_type(sepgsql_regtest_dba_t)
+')
+
# Type transition rules
allow sepgsql_regtest_user_t sepgsql_regtest_dba_t : process { transition };
type_transition sepgsql_regtest_user_t sepgsql_regtest_trusted_proc_exec_t:process sepgsql_regtest_dba_t;
@@ -99,6 +108,8 @@ userdom_manage_home_role(sepgsql_regtest_user_r, sepgsql_regtest_user_t)
userdom_exec_user_home_content_files(sepgsql_regtest_user_t)
userdom_write_user_tmp_sockets(sepgsql_regtest_user_t)
optional_policy(`
+ domain_type(sepgsql_regtest_user_t)
+ domain_dyntrans_type(sepgsql_regtest_user_t)
postgresql_role(sepgsql_regtest_user_r, sepgsql_regtest_user_t)
postgresql_stream_connect(sepgsql_regtest_user_t)
')
@@ -143,12 +154,18 @@ optional_policy(`
gen_require(`
role unconfined_r;
')
+ domain_type(sepgsql_regtest_foo_t)
+ domain_type(sepgsql_regtest_var_t)
+ domain_dyntrans_type(sepgsql_regtest_foo_t)
+ domain_dyntrans_type(sepgsql_regtest_var_t)
postgresql_role(unconfined_r, sepgsql_regtest_foo_t)
postgresql_role(unconfined_r, sepgsql_regtest_var_t)
postgresql_table_object(sepgsql_regtest_foo_table_t)
postgresql_table_object(sepgsql_regtest_var_table_t)
')
optional_policy(`
+ domain_type(sepgsql_regtest_pool_t)
+ domain_dyntrans_type(sepgsql_regtest_pool_t)
postgresql_stream_connect(sepgsql_regtest_pool_t)
postgresql_role(sepgsql_regtest_pool_r, sepgsql_regtest_pool_t)
')
@@ -170,7 +187,9 @@ allow { sepgsql_regtest_foo_t sepgsql_regtest_var_t } sepgsql_regtest_pool_t:pro
role sepgsql_regtest_nosuch_r;
userdom_base_user_template(sepgsql_regtest_nosuch)
optional_policy(`
- postgresql_role(sepgsql_regtest_nosuch_r, sepgsql_regtest_nosuch_t)
+ domain_type(sepgsql_regtest_nosuch_t)
+ domain_dyntrans_type(sepgsql_regtest_nosuch_t)
+ postgresql_role(sepgsql_regtest_nosuch_r, sepgsql_regtest_nosuch_t)
')
#
--
2.17.0
Mike Palmiotto <mike.palmiotto@crunchydata.com> writes:
On 05/24/2018 03:30 PM, Tom Lane wrote:
I tried to run the regression test for sepgsql on F28 (so I could
fix the now-obsolete expected-file therein). It fails at this
preparatory step:
$ sudo semodule -u sepgsql-regtest.pp
This error appears to be due to an update to the userspace install tools,
which do the proper `neverallow` check that was previously not happening. It
appears that at least part of this fix needs to take place in the upstream
policy repo, but in the meantime I've attached a patch that should stop the
build errors.
I don't have any immediate need for this fix personally, since sepgsql
still works on F26. The buildfarm is not testing the case either.
So rather than push a band-aid fix that might have a short shelf-life,
I'm inclined to wait till the upstream changes land, then see if we
need to do anything.
regards, tom lane