sepgsql seems rather thoroughly broken on Fedora 30
I tried to run the contrib/sepgsql tests, following the instructions,
on a recently-set-up Fedora 30 machine. I've done that successfully
on previous Fedora releases, but it's no go with F30.
First off, building the sepgsql-regtest.pp policy file spews
a bunch of complaints that I don't recall having seen before:
$ make -f /usr/share/selinux/devel/Makefile
/usr/share/selinux/devel/include/services/container.if:14: Error: duplicate definition of container_runtime_domtrans(). Original definition on 14.
/usr/share/selinux/devel/include/services/container.if:41: Error: duplicate definition of container_runtime_run(). Original definition on 41.
/usr/share/selinux/devel/include/services/container.if:61: Error: duplicate definition of container_runtime_exec(). Original definition on 61.
/usr/share/selinux/devel/include/services/container.if:80: Error: duplicate definition of container_read_state(). Original definition on 80.
... more of the same ...
/usr/share/selinux/devel/include/services/container.if:726: Error: duplicate definition of docker_stream_connect(). Original definition on 726.
/usr/share/selinux/devel/include/services/container.if:730: Error: duplicate definition of docker_spc_stream_connect(). Original definition on 730.
/usr/share/selinux/devel/include/services/container.if:744: Error: duplicate definition of container_spc_read_state(). Original definition on 744.
/usr/share/selinux/devel/include/services/container.if:763: Error: duplicate definition of container_domain_template(). Original definition on 763.
/usr/share/selinux/devel/include/services/container.if:791: Error: duplicate definition of container_spc_rw_pipes(). Original definition on 791.
Compiling targeted sepgsql-regtest module
Creating targeted sepgsql-regtest.pp policy package
rm tmp/sepgsql-regtest.mod tmp/sepgsql-regtest.mod.fc
$
The sepgsql-regtest.pp file is created anyway, and it seems to
load into the kernel OK, so maybe these are harmless? Or not.
I got through the remaining steps OK, until getting to actually
running the test script:
$ ./test_sepgsql
============== checking selinux environment ==============
checking for matchpathcon ... ok
checking for runcon ... ok
checking for sestatus ... ok
checking current user domain ... unconfined_t
checking selinux operating mode ... enforcing
checking for sepgsql-regtest policy ... ok
checking whether policy is enabled ... on
on
checking whether we can run psql ... failed
/home/tgl/testversion/bin/psql must be executable from the
sepgsql_regtest_user_t domain. That domain has restricted privileges
compared to unconfined_t, so the problem may be the psql file's
SELinux label. Try
$ sudo restorecon -R /home/tgl/testversion/bin
Or, using chcon
$ sudo chcon -t user_home_t /home/tgl/testversion/bin/psql
(BTW, what's that extra "on" after "checking whether policy is enabled"?)
psql does already have that labeling according to "ls -Z",
so unsurprisingly, the recommended remediation doesn't help.
Trying to drill down a bit, I did what the script is doing:
$ runcon -t sepgsql_regtest_user_t psql --help
psql: fatal: could not look up effective user ID 1000: user does not exist
But uid 1000 is me according to /etc/passwd and according to "id":
$ id
uid=1000(tgl) gid=1000(tgl) groups=1000(tgl),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
so there's nothing much wrong with having that as euid.
I speculate that the policy is forbidding sepgsql_regtest_user_t
from reading /etc/passwd. Perhaps this is fallout from the
compile problems reported for the policy module? But I'm way
out of my depth here.
I'm pretty sure the test recipe last worked for me on F28.
Off to try F29.
regards, tom lane
I wrote:
I tried to run the contrib/sepgsql tests, following the instructions,
on a recently-set-up Fedora 30 machine. I've done that successfully
on previous Fedora releases, but it's no go with F30.
...
I'm pretty sure the test recipe last worked for me on F28.
Off to try F29.
On Fedora 29, compiling the policy file spews what look like exactly
the same "errors". Everything after that works.
I don't have a functioning F28 installation right now, so I can't
double-check whether the errors appear on that.
regards, tom lane
On 7/17/19 12:54 PM, Tom Lane wrote:
I wrote:
I tried to run the contrib/sepgsql tests, following the instructions,
on a recently-set-up Fedora 30 machine. I've done that successfully
on previous Fedora releases, but it's no go with F30.
...
I'm pretty sure the test recipe last worked for me on F28.
Off to try F29.On Fedora 29, compiling the policy file spews what look like exactly
the same "errors". Everything after that works.I don't have a functioning F28 installation right now, so I can't
double-check whether the errors appear on that.
Thanks for the report -- Mike Palmiotto said he would take a look as
soon as he can.
Joe
--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development
On Wed, Jul 17, 2019 at 12:32 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:
I tried to run the contrib/sepgsql tests, following the instructions,
on a recently-set-up Fedora 30 machine. I've done that successfully
on previous Fedora releases, but it's no go with F30.First off, building the sepgsql-regtest.pp policy file spews
a bunch of complaints that I don't recall having seen before:$ make -f /usr/share/selinux/devel/Makefile
/usr/share/selinux/devel/include/services/container.if:14: Error: duplicate definition of container_runtime_domtrans(). Original definition on 14.
/usr/share/selinux/devel/include/services/container.if:41: Error: duplicate definition of container_runtime_run(). Original definition on 41.
/usr/share/selinux/devel/include/services/container.if:61: Error: duplicate definition of container_runtime_exec(). Original definition on 61.
/usr/share/selinux/devel/include/services/container.if:80: Error: duplicate definition of container_read_state(). Original definition on 80.
... more of the same ...
/usr/share/selinux/devel/include/services/container.if:726: Error: duplicate definition of docker_stream_connect(). Original definition on 726.
/usr/share/selinux/devel/include/services/container.if:730: Error: duplicate definition of docker_spc_stream_connect(). Original definition on 730.
/usr/share/selinux/devel/include/services/container.if:744: Error: duplicate definition of container_spc_read_state(). Original definition on 744.
/usr/share/selinux/devel/include/services/container.if:763: Error: duplicate definition of container_domain_template(). Original definition on 763.
/usr/share/selinux/devel/include/services/container.if:791: Error: duplicate definition of container_spc_rw_pipes(). Original definition on 791.
These errors are due to a conflict between "container-selinux" and
"selinux-policy-devel." With both packages installed, you will see the
container interface file in both
/usr/share/selinux/devel/include/contrib and
/usr/share/selinux/devel/include/services:
% sudo find /usr/share/selinux/devel -type f -name "container.if"
/usr/share/selinux/devel/include/contrib/container.if
/usr/share/selinux/devel/include/services/container.if
This is likely a bug that should be fixed by "container-selinux." I'll
see what I can do about getting that fixed upstream.
As you noted, the build errors are likely a red herring, since the .pp
still installs and the test script recognizes the module as loaded. If
you want to get rid of these for now and you aren't particularly
concerned about your container policy module, you can just uninstall
the "container-selinux" package.
============== checking selinux environment ==============
checking for matchpathcon ... ok
checking for runcon ... ok
checking for sestatus ... ok
checking current user domain ... unconfined_t
checking selinux operating mode ... enforcing
checking for sepgsql-regtest policy ... ok
checking whether policy is enabled ... on
on
checking whether we can run psql ... failed<snip>
(BTW, what's that extra "on" after "checking whether policy is enabled"?)
The second "on" is from the `getsebool sepgsql_enable_users_ddl`
check, which has no associated "checking policy boolean" message.
We'll minimally want to add more specific messages for the two
`getsebool` checks.
$ runcon -t sepgsql_regtest_user_t psql --help
psql: fatal: could not look up effective user ID 1000: user does not existBut uid 1000 is me according to /etc/passwd and according to "id":
$ id
uid=1000(tgl) gid=1000(tgl) groups=1000(tgl),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023so there's nothing much wrong with having that as euid.
I speculate that the policy is forbidding sepgsql_regtest_user_t
from reading /etc/passwd. Perhaps this is fallout from the
compile problems reported for the policy module? But I'm way
out of my depth here.
I wonder what your password file is labeled. It ought to be:
% ls -Z /etc/passwd
system_u:object_r:passwd_file_t:s0 /etc/passwd
The sepgsql_regtest_user_t domain should be allowed to read any file
labeled "passwd_file_t". We can check that with the `sesearch` tool,
provided by the "setools-console" package on F30:
% sudo sesearch -A -s sepgsql_regtest_user_t -t passwd_file_t
allow domain file_type:blk_file map; [ domain_can_mmap_files ]:True
allow domain file_type:chr_file map; [ domain_can_mmap_files ]:True
allow domain file_type:file map; [ domain_can_mmap_files ]:True
allow nsswitch_domain passwd_file_t:file { getattr ioctl lock map open read };
If your /etc/passwd label is not correct, you can try just running
`restorecon -RF /` to fix it.
In any case, it looks like this entire test script and policy could
use another layer of varnish, so I'll work on fixing up the
messages/functionality and post a patch which makes this a bit more
robust (hopefully a bit later tonight).
Sorry for the delayed response. Hopefully the band-aid fixes I
provided get you going for now.
--
Mike Palmiotto
Software Engineer
Crunchy Data Solutions
https://crunchydata.com
Mike Palmiotto <mike.palmiotto@crunchydata.com> writes:
On Wed, Jul 17, 2019 at 12:32 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:
$ runcon -t sepgsql_regtest_user_t psql --help
psql: fatal: could not look up effective user ID 1000: user does not exist
I wonder what your password file is labeled. It ought to be:
% ls -Z /etc/passwd
system_u:object_r:passwd_file_t:s0 /etc/passwd
Good thought, but no cigar:
$ ls -Z /etc/passwd
system_u:object_r:passwd_file_t:s0 /etc/passwd
Happy to poke at anything else you can suggest.
regards, tom lane
On Thu, Jul 18, 2019 at 11:06 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:
Mike Palmiotto <mike.palmiotto@crunchydata.com> writes:
On Wed, Jul 17, 2019 at 12:32 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:
$ runcon -t sepgsql_regtest_user_t psql --help
psql: fatal: could not look up effective user ID 1000: user does not exist
You can rule out SELinux for this piece by running `sudo setenforce
0`. If the `runcon ... psql` command works in Permissive we should
look at your audit log to determine what is being denied. audit2allow
will provide a summary of the SELinux denials and is generally a good
starting point:
# grep denied /var/log/audit/audit.log | audit2allow
If SELinux is indeed the issue here and you want to avoid doing all of
this detective work, it may be a good idea to just run a system-wide
restorecon (assuming you didn't already do that before) to make sure
your labels are in a decent state.
FWIW, this appears to be working on my recently-installed F30 VM:
% runcon -t sepgsql_regtest_user_t psql --help &> /dev/null
% echo $?
0
Hopefully a system-wide `restorecon` just magically fixes this for
you. Otherwise, we can start digging into denials.
--
Mike Palmiotto
Software Engineer
Crunchy Data Solutions
https://crunchydata.com
Mike Palmiotto <mike.palmiotto@crunchydata.com> writes:
On Thu, Jul 18, 2019 at 11:06 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:
$ runcon -t sepgsql_regtest_user_t psql --help
psql: fatal: could not look up effective user ID 1000: user does not exist
You can rule out SELinux for this piece by running `sudo setenforce
0`. If the `runcon ... psql` command works in Permissive we should
look at your audit log to determine what is being denied. audit2allow
will provide a summary of the SELinux denials and is generally a good
starting point:
# grep denied /var/log/audit/audit.log | audit2allow
It's definitely SELinux. The grep finds entries like
type=AVC msg=audit(1563547268.044:465): avc: denied { read } for pid=10940 comm="psql" name="passwd" dev="sda6" ino=4721184 scontext=unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0
which audit2allow turns into
#============= sepgsql_regtest_user_t ==============
allow sepgsql_regtest_user_t passwd_file_t:file read;
So somehow, my system's interpretation of the test policy file does
not include that permission.
I tried:
* restorecon / ... no effect, which is unsurprising given that /etc/passwd
was OK already.
* removing container-selinux ... this made the compile warnings go away,
as you predicted, but no change in the test results.
FWIW, this appears to be working on my recently-installed F30 VM:
% runcon -t sepgsql_regtest_user_t psql --help &> /dev/null
% echo $?
0
Well, that's just weird. I've not done anything to the SELinux state
on this installation either, so what's different?
I am wondering whether maybe the different behavior is a result of some
RPM that's present on my system but not yours, or vice versa. As
a first stab at that, I see:
$ rpm -qa | grep selinux | sort
cockpit-selinux-198-1.fc30.noarch
container-selinux-2.107-1.git453b816.fc30.noarch
flatpak-selinux-1.4.2-2.fc30.x86_64
libselinux-2.9-1.fc30.x86_64
libselinux-devel-2.9-1.fc30.x86_64
libselinux-utils-2.9-1.fc30.x86_64
python3-libselinux-2.9-1.fc30.x86_64
rpm-plugin-selinux-4.14.2.1-4.fc30.1.x86_64
selinux-policy-3.14.3-40.fc30.noarch
selinux-policy-devel-3.14.3-40.fc30.noarch
selinux-policy-targeted-3.14.3-40.fc30.noarch
tpm2-abrmd-selinux-2.0.0-4.fc30.noarch
regards, tom lane
Mike Palmiotto <mike.palmiotto@crunchydata.com> writes:
The sepgsql_regtest_user_t domain should be allowed to read any file
labeled "passwd_file_t". We can check that with the `sesearch` tool,
provided by the "setools-console" package on F30:
% sudo sesearch -A -s sepgsql_regtest_user_t -t passwd_file_t
allow domain file_type:blk_file map; [ domain_can_mmap_files ]:True
allow domain file_type:chr_file map; [ domain_can_mmap_files ]:True
allow domain file_type:file map; [ domain_can_mmap_files ]:True
allow nsswitch_domain passwd_file_t:file { getattr ioctl lock map open read };
I got around to trying this, and lookee here:
$ sudo sesearch -A -s sepgsql_regtest_user_t -t passwd_file_t
allow domain file_type:blk_file map; [ domain_can_mmap_files ]:True
allow domain file_type:chr_file map; [ domain_can_mmap_files ]:True
allow domain file_type:file map; [ domain_can_mmap_files ]:True
allow domain file_type:lnk_file map; [ domain_can_mmap_files ]:True
Nothing about passwd_file_t. So *something* is different about the
way the policy is being expanded.
regards, tom lane
On Fri, Jul 19, 2019 at 11:19 AM Tom Lane <tgl@sss.pgh.pa.us> wrote:
I got around to trying this, and lookee here:
$ sudo sesearch -A -s sepgsql_regtest_user_t -t passwd_file_t
allow domain file_type:blk_file map; [ domain_can_mmap_files ]:True
allow domain file_type:chr_file map; [ domain_can_mmap_files ]:True
allow domain file_type:file map; [ domain_can_mmap_files ]:True
allow domain file_type:lnk_file map; [ domain_can_mmap_files ]:TrueNothing about passwd_file_t. So *something* is different about the
way the policy is being expanded.
Okay, I was finally able to replicate the issue (and fix it). It looks
like perhaps the userdom_base_user_template changed and no longer
allows reading of passwd_file_t? At any rate, I added some policy to
ensure that we have the proper permissions.
I also beefed up the test script a bit so it now:
- installs the SELinux policy module
- spins up a temporary cluster to muddy postgresql.conf and run the
setup sql in an isolated environment
We probably need to polish this a bit more, but what do you think
about something similar to the attached patches? They should hopefully
reduce some of the complexity of running these regression tests.
--
Mike Palmiotto
Software Engineer
Crunchy Data Solutions
https://crunchydata.com
Attachments:
0001-Make-sepgsql-regtest-policy-module-less-error-prone.patchtext/x-patch; charset=US-ASCII; name=0001-Make-sepgsql-regtest-policy-module-less-error-prone.patchDownload
From 7f22a9d40ab5ad5334351932bd9010f538ba222a Mon Sep 17 00:00:00 2001
From: Mike Palmiotto <mike.palmiotto@crunchydata.com>
Date: Fri, 19 Jul 2019 14:15:23 -0400
Subject: [PATCH 1/2] Make sepgsql-regtest policy module less error-prone
---
contrib/sepgsql/sepgsql-regtest.te | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/contrib/sepgsql/sepgsql-regtest.te b/contrib/sepgsql/sepgsql-regtest.te
index e5d65243e6..5d9af1a0dd 100644
--- a/contrib/sepgsql/sepgsql-regtest.te
+++ b/contrib/sepgsql/sepgsql-regtest.te
@@ -31,6 +31,9 @@ userdom_base_user_template(sepgsql_regtest_superuser)
userdom_manage_home_role(sepgsql_regtest_superuser_r, sepgsql_regtest_superuser_t)
userdom_exec_user_home_content_files(sepgsql_regtest_superuser_t)
userdom_write_user_tmp_sockets(sepgsql_regtest_superuser_t)
+
+auth_read_passwd(sepgsql_regtest_superuser_t)
+
optional_policy(`
postgresql_stream_connect(sepgsql_regtest_superuser_t)
postgresql_unconfined(sepgsql_regtest_superuser_t)
@@ -60,6 +63,9 @@ userdom_base_user_template(sepgsql_regtest_dba)
userdom_manage_home_role(sepgsql_regtest_dba_r, sepgsql_regtest_dba_t)
userdom_exec_user_home_content_files(sepgsql_regtest_dba_t)
userdom_write_user_tmp_sockets(sepgsql_regtest_user_t)
+
+auth_read_passwd(sepgsql_regtest_dba_t)
+
optional_policy(`
postgresql_admin(sepgsql_regtest_dba_t, sepgsql_regtest_dba_r)
postgresql_stream_connect(sepgsql_regtest_dba_t)
@@ -98,6 +104,9 @@ userdom_base_user_template(sepgsql_regtest_user)
userdom_manage_home_role(sepgsql_regtest_user_r, sepgsql_regtest_user_t)
userdom_exec_user_home_content_files(sepgsql_regtest_user_t)
userdom_write_user_tmp_sockets(sepgsql_regtest_user_t)
+
+auth_read_passwd(sepgsql_regtest_user_t)
+
optional_policy(`
postgresql_role(sepgsql_regtest_user_r, sepgsql_regtest_user_t)
postgresql_stream_connect(sepgsql_regtest_user_t)
@@ -126,6 +135,8 @@ userdom_manage_home_role(sepgsql_regtest_pool_r, sepgsql_regtest_pool_t)
userdom_exec_user_home_content_files(sepgsql_regtest_pool_t)
userdom_write_user_tmp_sockets(sepgsql_regtest_pool_t)
+auth_read_passwd(sepgsql_regtest_pool_t)
+
type sepgsql_regtest_foo_t;
type sepgsql_regtest_var_t;
type sepgsql_regtest_foo_table_t;
--
2.21.0
0002-Add-sandboxed-cluster-for-sepgsql-regression-tests.patchtext/x-patch; charset=US-ASCII; name=0002-Add-sandboxed-cluster-for-sepgsql-regression-tests.patchDownload
From 53fb4c662347311ef6e21ca4c82b64c358f2096b Mon Sep 17 00:00:00 2001
From: Mike Palmiotto <mike.palmiotto@crunchydata.com>
Date: Fri, 19 Jul 2019 14:29:22 -0400
Subject: [PATCH 2/2] Add sandboxed cluster for sepgsql regression tests
---
contrib/sepgsql/test_sepgsql | 47 ++++++++++++++++++++++++++++++++----
1 file changed, 42 insertions(+), 5 deletions(-)
diff --git a/contrib/sepgsql/test_sepgsql b/contrib/sepgsql/test_sepgsql
index 7530363d2c..d14a1c28bc 100755
--- a/contrib/sepgsql/test_sepgsql
+++ b/contrib/sepgsql/test_sepgsql
@@ -15,7 +15,43 @@
PG_BINDIR=`pg_config --bindir`
# we must move to contrib/sepgsql directory to run pg_regress correctly
-cd `dirname $0`
+cd `dirname $0` || exit 1
+
+# Shut down existing test cluster and delete tmp directory if we have it
+if [ -d tmp/ ]; then
+ # Make sure we don't have a lingering regression test cluster installed
+ $PG_BINDIR/pg_ctl -D tmp -o "-p 15432" stop
+
+ sudo rm -rf tmp/
+fi
+
+# Iniitalize our test environment
+if ! $PG_BINDIR/pg_ctl initdb -D tmp; then
+ echo "test cluster initdb error"
+ exit 1
+fi
+
+echo "shared_preload_libraries = 'sepgsql'" >> tmp/postgresql.conf
+
+for DBNAME in template0 template1 postgres;
+do
+ $PG_BINDIR/postgres --single -F -c exit_on_error=true -p 15432 -D tmp/ $DBNAME \
+ < sepgsql.sql > /dev/null
+done
+
+# Reload the policy module
+if ! sudo make -f /usr/share/selinux/devel/Makefile reload; then
+ echo "policy reload error"
+ echo ""
+ echo "Unable to build sepgsql-regtest policy module."
+ echo "Please check that you have the selinux policy source installed."
+ echo "The development source is typically included in selinux-policy-devel package."
+ exit 1
+fi
+
+if ! $PG_BINDIR/pg_ctl --log=tmp/sepgsql.log -D tmp -o "-p 15432" start; then
+ exit 1
+fi
echo
echo "============== checking selinux environment =============="
@@ -139,7 +175,7 @@ fi
echo "ok"
# Verify that sepgsql_regression_test_mode is active.
-echo -n "checking whether policy is enabled ... "
+echo -n "checking whether sepgsql_regression_test_mode policy boolean is enabled ... "
POLICY_STATUS=`getsebool sepgsql_regression_test_mode | awk '{print $3}'`
echo ${POLICY_STATUS:-failed}
if [ "${POLICY_STATUS}" != on ]; then
@@ -166,6 +202,7 @@ if [ "${POLICY_STATUS}" != on ]; then
exit 1
fi
POLICY_STATUS=`getsebool sepgsql_enable_users_ddl | awk '{print $3}'`
+echo -n "checking whether sepgsql_enable_users_ddl policy boolean is enabled ... "
echo ${POLICY_STATUS:-failed}
if [ "${POLICY_STATUS}" != on ]; then
echo ""
@@ -233,7 +270,7 @@ echo "ok"
# loadable module must be installed and not configured to permissive mode
echo -n "checking sepgsql installation ... "
-VAL="`${CMD_PSQL} -X -t -c 'SHOW sepgsql.permissive' template1 2>/dev/null`"
+VAL="`${CMD_PSQL} -p 15432 -X -t -c 'SHOW sepgsql.permissive' template1 2>/dev/null`"
RETVAL="$?"
if [ $RETVAL -eq 2 ]; then
echo "failed"
@@ -266,7 +303,7 @@ echo "ok"
# NOTE: this test is wrong; we really ought to be checking template0.
# But we can't connect to that without extra pushups, and it's not worth it.
echo -n "checking for labels in template1 ... "
-NUM=`${CMD_PSQL} -XAt -c 'SELECT count(*) FROM pg_catalog.pg_seclabel' template1 2>/dev/null`
+NUM=`${CMD_PSQL} -p 15432 -XAt -c 'SELECT count(*) FROM pg_catalog.pg_seclabel' template1 2>/dev/null`
if [ -z "${NUM}" ]; then
echo "failed"
echo ""
@@ -287,6 +324,6 @@ echo "found ${NUM}"
echo
echo "============== running sepgsql regression tests =============="
-make REGRESS="label dml ddl alter misc" REGRESS_OPTS="--launcher ./launcher" installcheck
+make REGRESS="label dml ddl alter misc" REGRESS_OPTS="--port=15432 --launcher ./launcher" installcheck
# exit with the exit code provided by "make"
--
2.21.0
Mike Palmiotto <mike.palmiotto@crunchydata.com> writes:
We probably need to polish this a bit more, but what do you think
about something similar to the attached patches? They should hopefully
reduce some of the complexity of running these regression tests.
I can confirm that the 0001 patch fixes things on my Fedora 30 box.
So that's good, though I don't know enough to evaluate it for style
or anything like that.
I don't think I like the 0002 patch very much, because of its putting
all the sudo actions into the script. I'd rather not give a script
root permissions, thanks. Maybe I'm in the minority on that.
Also, since the documentation explicitly says that the
/usr/share/selinux/devel/Makefile path is not to be relied on,
why would we hard-wire it into the script?
A bigger-picture issue is that right now, configuring a cluster for
sepgsql is a very manual process (cf. section F.35.2). I think there's
some advantage in forcing the user to run through that before running
the regression test, namely that they'll get the bugs out of any
misunderstandings or needed local changes. If we had that a bit more
automated then maybe having the test script do-it-for-you would be
sensible. (IOW, the fact that the test process is more like "make
installcheck" than "make check" seems like a feature not a bug.)
regards, tom lane
On Fri, Jul 19, 2019 at 4:29 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:
Mike Palmiotto <mike.palmiotto@crunchydata.com> writes:
We probably need to polish this a bit more, but what do you think
about something similar to the attached patches? They should hopefully
reduce some of the complexity of running these regression tests.I can confirm that the 0001 patch fixes things on my Fedora 30 box.
So that's good, though I don't know enough to evaluate it for style
or anything like that.
I think the policy is in need of review/rewriting anyway. The proper
thing to do would be to create a common template for all of the
SELinux regtest user domains and create more of a hierarchical policy
to reduce redundancy. If you want to wait for more formal policy
updates, I can do that in my spare time. Otherwise, the patch I posted
should work with the general style of this policy module.
I don't think I like the 0002 patch very much, because of its putting
all the sudo actions into the script. I'd rather not give a script
root permissions, thanks. Maybe I'm in the minority on that.
Definitely not. I cringed a little bit as I was making those
additions, but figured it was fine since it's just a test script (and
we have to run `sudo` for various other installation items as well).
Also, since the documentation explicitly says that the
/usr/share/selinux/devel/Makefile path is not to be relied on,
why would we hard-wire it into the script?A bigger-picture issue is that right now, configuring a cluster for
sepgsql is a very manual process (cf. section F.35.2). I think there's
some advantage in forcing the user to run through that before running
the regression test, namely that they'll get the bugs out of any
misunderstandings or needed local changes. If we had that a bit more
automated then maybe having the test script do-it-for-you would be
sensible. (IOW, the fact that the test process is more like "make
installcheck" than "make check" seems like a feature not a bug.)
Makes sense to me. Thanks for the feedback!
--
Mike Palmiotto
Software Engineer
Crunchy Data Solutions
https://crunchydata.com
Mike Palmiotto <mike.palmiotto@crunchydata.com> writes:
On Fri, Jul 19, 2019 at 4:29 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:
I can confirm that the 0001 patch fixes things on my Fedora 30 box.
So that's good, though I don't know enough to evaluate it for style
or anything like that.
I think the policy is in need of review/rewriting anyway. The proper
thing to do would be to create a common template for all of the
SELinux regtest user domains and create more of a hierarchical policy
to reduce redundancy. If you want to wait for more formal policy
updates, I can do that in my spare time. Otherwise, the patch I posted
should work with the general style of this policy module.
Hearing no further comments, I went ahead and pushed 0001 (after
checking that it works on F28, which is the oldest Fedora version
I have at hand right now). Stylistic improvements to the script
are fine, but let's get the bug fixed for now.
BTW, I noticed that the documentation about how to run the tests
is a bit stale as well --- for instance, it says to use
$ sudo semodule -u sepgsql-regtest.pp
but that slaps your wrist:
The --upgrade option is deprecated. Use --install instead.
So if anyone does feel like polishing things in this area, some doc
review seems indicated.
regards, tom lane