database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-11-03 09:13:20 +03:00
Code Activity

Fix contrib/sepgsql test policy to work with latest SELinux releases.

Browse Source 
As of Fedora 30, it seems that the system-provided macros for setting
up user privileges in SELinux policies don't grant the ability to read
/etc/passwd, as they formerly did.  This restriction breaks psql
(which tries to use getpwuid() to obtain the user name it's running
under) and thereby the contrib/sepgsql regression test.  Add explicit
specifications that we need the right to read /etc/passwd.

Mike Palmiotto, per a report from me.  Back-patch to all supported
branches.

Discussion: https://postgr.es/m/23856.1563381159@sss.pgh.pa.us
This commit is contained in:
Tom Lane
2019-07-25 11:02:43 -04:00
parent 781568ede6
commit 0a9ba5baac
1 changed files with 11 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
contrib/sepgsql/sepgsql-regtest.te
View File

@@ -31,6 +31,9 @@ userdom_base_user_template(sepgsql_regtest_superuser)
userdom_manage_home_role(sepgsql_regtest_superuser_r, sepgsql_regtest_superuser_t) userdom_manage_home_role(sepgsql_regtest_superuser_r, sepgsql_regtest_superuser_t)
userdom_exec_user_home_content_files(sepgsql_regtest_superuser_t) userdom_exec_user_home_content_files(sepgsql_regtest_superuser_t)
userdom_write_user_tmp_sockets(sepgsql_regtest_superuser_t) userdom_write_user_tmp_sockets(sepgsql_regtest_superuser_t)
auth_read_passwd(sepgsql_regtest_superuser_t)
optional_policy(` optional_policy(`
postgresql_stream_connect(sepgsql_regtest_superuser_t) postgresql_stream_connect(sepgsql_regtest_superuser_t)
postgresql_unconfined(sepgsql_regtest_superuser_t) postgresql_unconfined(sepgsql_regtest_superuser_t)
@@ -60,6 +63,9 @@ userdom_base_user_template(sepgsql_regtest_dba)
userdom_manage_home_role(sepgsql_regtest_dba_r, sepgsql_regtest_dba_t) userdom_manage_home_role(sepgsql_regtest_dba_r, sepgsql_regtest_dba_t)
userdom_exec_user_home_content_files(sepgsql_regtest_dba_t) userdom_exec_user_home_content_files(sepgsql_regtest_dba_t)
userdom_write_user_tmp_sockets(sepgsql_regtest_user_t) userdom_write_user_tmp_sockets(sepgsql_regtest_user_t)
auth_read_passwd(sepgsql_regtest_dba_t)
optional_policy(` optional_policy(`
postgresql_admin(sepgsql_regtest_dba_t, sepgsql_regtest_dba_r) postgresql_admin(sepgsql_regtest_dba_t, sepgsql_regtest_dba_r)
postgresql_stream_connect(sepgsql_regtest_dba_t) postgresql_stream_connect(sepgsql_regtest_dba_t)
@@ -98,6 +104,9 @@ userdom_base_user_template(sepgsql_regtest_user)
userdom_manage_home_role(sepgsql_regtest_user_r, sepgsql_regtest_user_t) userdom_manage_home_role(sepgsql_regtest_user_r, sepgsql_regtest_user_t)
userdom_exec_user_home_content_files(sepgsql_regtest_user_t) userdom_exec_user_home_content_files(sepgsql_regtest_user_t)
userdom_write_user_tmp_sockets(sepgsql_regtest_user_t) userdom_write_user_tmp_sockets(sepgsql_regtest_user_t)
auth_read_passwd(sepgsql_regtest_user_t)
optional_policy(` optional_policy(`
postgresql_role(sepgsql_regtest_user_r, sepgsql_regtest_user_t) postgresql_role(sepgsql_regtest_user_r, sepgsql_regtest_user_t)
postgresql_stream_connect(sepgsql_regtest_user_t) postgresql_stream_connect(sepgsql_regtest_user_t)
@@ -126,6 +135,8 @@ userdom_manage_home_role(sepgsql_regtest_pool_r, sepgsql_regtest_pool_t)
userdom_exec_user_home_content_files(sepgsql_regtest_pool_t) userdom_exec_user_home_content_files(sepgsql_regtest_pool_t)
userdom_write_user_tmp_sockets(sepgsql_regtest_pool_t) userdom_write_user_tmp_sockets(sepgsql_regtest_pool_t)
auth_read_passwd(sepgsql_regtest_pool_t)
type sepgsql_regtest_foo_t; type sepgsql_regtest_foo_t;
type sepgsql_regtest_var_t; type sepgsql_regtest_var_t;
type sepgsql_regtest_foo_table_t; type sepgsql_regtest_foo_table_t;