mirror of
				https://github.com/postgres/postgres.git
				synced 2025-10-25 13:17:41 +03:00 
			
		
		
		
	Clean up 'chkselinuxenv' script.
Eliminate dependencies on "which", as we don't really need that to be installed for proper testing. Don't number the tests, as that increases the footprint of every patch that wants to add or remove tests. Make the test output more informative, so that it's a bit easier to see what went right (or wrong). Spelling and grammar improvements.
This commit is contained in:
		| @@ -9,200 +9,153 @@ PG_DATADIR="$2" | |||||||
|  |  | ||||||
| echo | echo | ||||||
| echo "============== checking selinux environment           ==============" | echo "============== checking selinux environment           ==============" | ||||||
| # |  | ||||||
| # Test.0 - necessary commands for environment checks | # matchpathcon must be present to assess whether the installation environment | ||||||
| # | # is OK. | ||||||
| echo -n "test installed commands       ... " | echo -n "checking for matchpathcon           ... " | ||||||
| if ! which --help >&/dev/null; then | if ! matchpathcon -n . >/dev/null 2>&1; then | ||||||
|     echo "failed" |     echo "not found" | ||||||
|     echo |     echo "" | ||||||
|     echo "'which' command was not found, executable or installed." |     echo "matchpathcon not found; please install it or update your PATH." | ||||||
|     echo "Please make sure your PATH, or install this command at first." |  | ||||||
|     echo |  | ||||||
|     echo "If yum is available on your system, it will suggest packages" |  | ||||||
|     echo "to be installed:" |  | ||||||
|     echo "  # yum provides which" |  | ||||||
|     exit 1 |  | ||||||
| fi |  | ||||||
| if ! matchpathcon -n / >&/dev/null; then |  | ||||||
|     echo "failed" |  | ||||||
|     echo |  | ||||||
|     echo "'matchpathcon' command was not found, executable or installed." |  | ||||||
|     echo "Please make sure your PATH, or install this command at first." |  | ||||||
|     echo |  | ||||||
|     echo "If yum is available on your system, it will suggest packages" |  | ||||||
|     echo "to be installed:" |  | ||||||
|     echo "  # yum provides which" |  | ||||||
|     exit 1 |     exit 1 | ||||||
| fi | fi | ||||||
| echo "ok" | echo "ok" | ||||||
|  |  | ||||||
| # | # runcon must be present to launch psql using the correct environment | ||||||
| # Test.1 - must be launched at unconfined_t domain | echo -n "checking for runcon                 ... " | ||||||
| # | if ! runcon --help >/dev/null 2>&1; then | ||||||
| echo -n "test unconfined_t domain      ... " |  | ||||||
|  |  | ||||||
| DOMAIN=`id -Z 2>/dev/null | sed 's/:/ /g' | awk '{print $3}'` |  | ||||||
| if [ "${DOMAIN}" != "unconfined_t" ]; then |  | ||||||
|     echo "failed" |     echo "failed" | ||||||
|     echo |     echo "" | ||||||
|     echo "This regression test needs to be launched on unconfined_t domain." |     echo "The runcon command must exist and be executable; it is used to" | ||||||
|     echo |     echo "launch psql command with a particular domain.  It is typically" | ||||||
|     echo "The unconfined_t domain is mostly default domain of users' shell" | 	echo "included within the coreutils package." | ||||||
|     echo "process. So, we suggest you to revert your special configuration" |     echo "" | ||||||
|     echo "on your system, as follows:" |     exit 1 | ||||||
|     echo | fi | ||||||
|  | echo "ok" | ||||||
|  |  | ||||||
|  | # check that the user is running in the unconfined_t domain | ||||||
|  | echo -n "checking current user domain        ... " | ||||||
|  | DOMAIN=`id -Z 2>/dev/null | sed 's/:/ /g' | awk '{print $3}'` | ||||||
|  | echo ${DOMAIN:-failed} | ||||||
|  | if [ "${DOMAIN}" != "unconfined_t" ]; then | ||||||
|  |     echo "" | ||||||
|  |     echo "This regression test must be launched from the unconfined_t domain." | ||||||
|  |     echo "" | ||||||
|  |     echo "The unconfined_t domain is typically the default domain for user" | ||||||
|  |     echo "shell processes.  If the default has been changed on your system," | ||||||
|  | 	echo "you can revert the changes like this:" | ||||||
|  |     echo "" | ||||||
|     echo "  \$ su -" |     echo "  \$ su -" | ||||||
|     echo "  # semanage login -d `whoami`" |     echo "  # semanage login -d `whoami`" | ||||||
|     echo |     echo "" | ||||||
|     echo "Or, add a setting to login as unconfined_t domain" |     echo "Or, you can add a setting to log in using the unconfined_t domain:" | ||||||
|     echo |     echo "" | ||||||
|     echo "  \$ su -" |     echo "  \$ su -" | ||||||
|     echo "  # semanage login -a -s unconfined_u -r s0-s0:c0.c255 `whoami`" |     echo "  # semanage login -a -s unconfined_u -r s0-s0:c0.c255 `whoami`" | ||||||
|     echo |     echo "" | ||||||
|     exit 1 |     exit 1 | ||||||
| fi | fi | ||||||
| echo "ok" |  | ||||||
|  |  | ||||||
| # | # SELinux must be configured to enforcing mode | ||||||
| # Test.2 - 'runcon' must exist and be executable | echo -n "checking selinux operating mode     ... " | ||||||
| # | CURRENT_MODE=`env LANG=C sestatus | grep 'Current mode:' | awk '{print $3}'` | ||||||
| echo -n "test runcon command           ... " | echo ${CURRENT_MODE:-failed} | ||||||
|  | if [ "${CURRENT_MODE}" != enforcing ]; then | ||||||
| CMD_RUNCON="`which runcon 2>/dev/null`" | 	if [ "${CURRENT_MODE}" = permissive -o "${CURRENT_MODE}" = disabled ]; then | ||||||
| if [ ! -x "${CMD_RUNCON}" ]; then | 	    echo "" | ||||||
|     echo "failed" | 	    echo "Before running the regression tests, SELinux must be enabled and" | ||||||
|     echo | 		echo "must be running in enforcing mode." | ||||||
|     echo "The runcon must exist and be executable; it is internally used to" | 		echo "" | ||||||
|     echo "launch psql command with a particular domain. It is mostly included" | 		echo "If SELinux is currently running in permissive mode, you can" | ||||||
|     echo "within coreutils package. So, our suggestion is to install the latest" | 		echo "switch to enforcing command using the 'setenforce' command." | ||||||
|     echo "version of this package." |  | ||||||
|     echo |  | ||||||
|     exit 1 |  | ||||||
| fi |  | ||||||
| echo "ok" |  | ||||||
|  |  | ||||||
| # |  | ||||||
| # Test.3 - 'sestatus' must exist and be executable |  | ||||||
| # |  | ||||||
| echo -n "test sestatus command         ... " |  | ||||||
|  |  | ||||||
| CMD_SESTATUS="`which sestatus 2>/dev/null`" |  | ||||||
| if [ ! -x "${CMD_SESTATUS}" ]; then |  | ||||||
|     echo "failed" |  | ||||||
|     echo |  | ||||||
|     echo "The sestatus should exist and be executable; it is internally used to" |  | ||||||
|     echo "this checks; to show configuration of SELinux. It is mostly included" |  | ||||||
|     echo "within policycoreutils package. So, our suggestion is to install the" |  | ||||||
|     echo "latest version of this package." |  | ||||||
|     echo |  | ||||||
|     exit 1 |  | ||||||
| fi |  | ||||||
| echo "ok" |  | ||||||
|  |  | ||||||
| # |  | ||||||
| # Test.4 - 'getsebool' must exist and be executable |  | ||||||
| # |  | ||||||
| echo -n "test getsebool command        ... " |  | ||||||
|  |  | ||||||
| CMD_GETSEBOOL="`which getsebool`" |  | ||||||
| if [ ! -x "${CMD_GETSEBOOL}" ]; then |  | ||||||
|     echo "failed" |  | ||||||
|     echo |  | ||||||
|     echo "The getsebool should exist and be executable; it is internally used to" |  | ||||||
|     echo "this checks; to show current setting of SELinux boolean variables." |  | ||||||
|     echo "It is mostly included within libselinux-utils package. So, our suggestion" |  | ||||||
|     echo "is to install the latest version of this package." |  | ||||||
|     echo |  | ||||||
|     exit 1 |  | ||||||
| fi |  | ||||||
| echo "ok" |  | ||||||
|  |  | ||||||
| # |  | ||||||
| # Test.5 - SELinux must be configured to enforcing mode |  | ||||||
| # |  | ||||||
| echo -n "test enforcing mode           ... " |  | ||||||
|  |  | ||||||
| CURRENT_MODE=`env LANG=C ${CMD_SESTATUS} | grep 'Current mode:' | awk '{print $3}'` |  | ||||||
| if [ "${CURRENT_MODE}" != "enforcing" ]; then |  | ||||||
|     echo "failed" |  | ||||||
|     echo |  | ||||||
|     echo "SELinux must be configured to 'enforcing' mode." |  | ||||||
|     echo "You can switch SELinux to enforcing mode using setenforce command," |  | ||||||
|     echo "as follows:" |  | ||||||
| 	    echo | 	    echo | ||||||
| 	    echo "  \$ su -" | 	    echo "  \$ su -" | ||||||
| 	    echo "  # setenforce 1" | 	    echo "  # setenforce 1" | ||||||
|     echo | 	    echo "" | ||||||
|     echo "The system default setting is configured at /etc/selinux/config," | 	    echo "The system default setting is configured in /etc/selinux/config," | ||||||
|     echo "or kernel bool parameter. Please also check it, if you see this" | 	    echo "or using a kernel bool parameter." | ||||||
|     echo "message although you didn't switch to permissive mode." | 	    echo "" | ||||||
|     echo | 	else | ||||||
|  | 		echo "" | ||||||
|  | 		echo "Unable to determine the current selinux operating mode.  Please" | ||||||
|  | 		echo "verify that the sestatus command is installed and in your PATH." | ||||||
|  | 	    echo "" | ||||||
|  | 	fi | ||||||
|     exit 1 |     exit 1 | ||||||
| fi | fi | ||||||
| echo "ok" |  | ||||||
|  |  | ||||||
| # | # 'sepgsql-regtest' policy module must be loaded | ||||||
| # Test.6 - 'sepgsql-regtest' policy module must be loaded | echo -n "checking for sepgsql-regtest policy ... " | ||||||
| # | SELINUX_MNT=`env LANG=C sestatus 2>/dev/null | grep '^SELinuxfs mount:' | awk '{print $3}'` | ||||||
| echo -n "test sepgsql-regtest policy   ... " | if [ "$SELINUX_MNT" = "" ]; then | ||||||
|  | 	echo "failed" | ||||||
| SELINUX_MNT=`env LANG=C ${CMD_SESTATUS} | grep '^SELinuxfs mount:' | awk '{print $3}'` | 	echo "" | ||||||
|  | 	echo "Unable to find SELinuxfs mount point." | ||||||
|  | 	echo "" | ||||||
|  | 	echo "The sestatus command should report the location where SELinuxfs" | ||||||
|  | 	echo "is mounted, but did not do so." | ||||||
|  | 	echo "" | ||||||
|  | 	exit 1 | ||||||
|  | fi | ||||||
| if [ ! -e ${SELINUX_MNT}/booleans/sepgsql_regression_test_mode ]; then | if [ ! -e ${SELINUX_MNT}/booleans/sepgsql_regression_test_mode ]; then | ||||||
|     echo "failed" |     echo "failed" | ||||||
|     echo |     echo "" | ||||||
|     echo "The 'sepgsql-regtest' policy module must be installed; that provide" |     echo "The 'sepgsql-regtest' policy module appears not to be installed." | ||||||
|     echo "a set of special rules for this regression test." | 	echo "Without this policy installed, the regression tests will fail." | ||||||
|     echo "You can install this module as follows:" |     echo "You can install this module using the following commands:" | ||||||
|     echo |     echo "" | ||||||
|     echo "  \$ make -f /usr/share/selinux/devel/Makefile -C contrib/selinux" |     echo "  \$ make -f /usr/share/selinux/devel/Makefile -C contrib/selinux" | ||||||
|     echo "  \$ su" |     echo "  \$ su" | ||||||
|     echo "  # semodule -i contrib/sepgsql/sepgsql-regtest.pp" |     echo "  # semodule -i contrib/sepgsql/sepgsql-regtest.pp" | ||||||
|     echo |     echo "" | ||||||
|     echo "Then, you can confirm the policy package being installed, as follows:" |     echo "To confirm that policy package is installed, use this command:" | ||||||
|     echo |     echo "" | ||||||
|     echo "  # semodule -l | grep sepgsql" |     echo "  # semodule -l | grep sepgsql" | ||||||
|     echo |     echo "" | ||||||
|     exit 1 |     exit 1 | ||||||
| fi | fi | ||||||
| echo "ok" | echo "ok" | ||||||
|  |  | ||||||
| # | # Verify that sepgsql_regression_test_mode is active. | ||||||
| # Test.7 - 'sepgsql_regression_test_mode' must be turned on | echo -n "checking whether policy is enabled  ... " | ||||||
| # | POLICY_STATUS=`getsebool sepgsql_regression_test_mode | awk '{print $3}'` | ||||||
| echo -n "test selinux boolean          ... " | echo ${POLICY_STATUS:-failed} | ||||||
|  | if [ "${POLICY_STATUS}" != "on" ]; then | ||||||
| if ! ${CMD_GETSEBOOL} sepgsql_regression_test_mode | grep -q ' on$'; then | 	echo "" | ||||||
|     echo "failed" |     echo "The SELinux boolean 'sepgsql_regression_test_mode' must be" | ||||||
|     echo |     echo "turned on in order to enable the rules necessary to run the" | ||||||
|     echo "The boolean variable of 'sepgsql_regression_test_mode' must be" | 	echo "regression tests." | ||||||
|     echo "turned. It affects an internal state of SELinux policy, then" | 	echo "" | ||||||
|     echo "a set of rules to run regression test will be activated." | 	if "${POLICY_STATUS}" = ""; then | ||||||
|     echo "You can turn on this variable as follows:" | 		echo "We attempted to determine the state of this Boolean using" | ||||||
|     echo | 		echo "'getsebool', but that command did not produce the expected" | ||||||
|  | 		echo "output.  Please verify that getsebool is available and in" | ||||||
|  | 		echo "your PATH." | ||||||
|  | 	else | ||||||
|  | 		echo "You can turn on this variable using the following commands:" | ||||||
|  | 	    echo "" | ||||||
| 	    echo "  \$ su -" | 	    echo "  \$ su -" | ||||||
| 	    echo "  # setsebool sepgsql_regression_test_mode 1" | 	    echo "  # setsebool sepgsql_regression_test_mode 1" | ||||||
|     echo | 	    echo "" | ||||||
|     echo "Also note that we recommend to turn off this variable after the" | 	    echo "For security reasons, it is suggested that you turn off this" | ||||||
|     echo "regression test, because it activates unnecessary rules." | 		echo "variable when regression testing is complete and the associated" | ||||||
|     echo | 		echo "rules are no longer needed." | ||||||
|  | 	fi | ||||||
|  |     echo "" | ||||||
|     exit 1 |     exit 1 | ||||||
| fi | fi | ||||||
| echo "ok" |  | ||||||
|  |  | ||||||
| # |  | ||||||
| # Test.8 - 'psql' command must be executable by test domain |  | ||||||
| # |  | ||||||
| echo -n "test execution of psql        ... " |  | ||||||
|  |  | ||||||
|  | # 'psql' command must be executable by test domain | ||||||
|  | echo -n "checking whether we can run psql    ... " | ||||||
| CMD_PSQL="${PG_BINDIR}/psql" | CMD_PSQL="${PG_BINDIR}/psql" | ||||||
| ${CMD_RUNCON} -t sepgsql_regtest_user_t ${CMD_PSQL} --help >& /dev/null | runcon -t sepgsql_regtest_user_t ${CMD_PSQL} --help >& /dev/null | ||||||
| if [ $? -ne 0 ]; then | if [ $? -ne 0 ]; then | ||||||
|     echo "failed" |     echo "failed" | ||||||
|     echo |     echo | ||||||
|     echo "The ${CMD_PSQL} must be executable by sepgsql_regtest_user_t" |     echo "${CMD_PSQL} must be executable from the sepgsql_regtest_user_t" | ||||||
|     echo "domain. It has restricted privileges compared to unconfined_t," |     echo "domain. The domain has restricted privileges compared to" | ||||||
|     echo "so you should ensure whether this command is labeled correctly." | 	echo "unconfined_t, so you should ensure that it is labeled correctly." | ||||||
|     echo |     echo | ||||||
|     echo "  \$ su - (not needed, if you owns installation directory)" |     echo "  \$ su - (not needed, if you owns installation directory)" | ||||||
|     EXPECT_PSQL=`matchpathcon -n ${CMD_PSQL} | sed 's/:/ /g' | awk '{print $3}'` |     EXPECT_PSQL=`matchpathcon -n ${CMD_PSQL} | sed 's/:/ /g' | awk '{print $3}'` | ||||||
| @@ -226,61 +179,52 @@ if [ $? -ne 0 ]; then | |||||||
| fi | fi | ||||||
| echo "ok" | echo "ok" | ||||||
|  |  | ||||||
| # | # loadable module must be installed and not configured to permissive mode | ||||||
| # Test.9 - 'sepgsql' must be installed | echo -n "checking sepgsql installation       ... " | ||||||
| #          and, not configured to permissive mode |  | ||||||
| # |  | ||||||
| echo -n "test sepgsql installation     ... " |  | ||||||
|  |  | ||||||
| VAL="`${CMD_PSQL} template1 -tc 'SHOW sepgsql.permissive' 2>/dev/null`" | VAL="`${CMD_PSQL} template1 -tc 'SHOW sepgsql.permissive' 2>/dev/null`" | ||||||
| RETVAL="$?" | RETVAL="$?" | ||||||
| if [ $RETVAL -eq 2 ]; then | if [ $RETVAL -eq 2 ]; then | ||||||
|     echo "failed" |     echo "failed" | ||||||
|     echo |     echo "" | ||||||
|     echo "The postgresql server process is not connectable." |     echo "Unable to connect to the server.  Please check your installation." | ||||||
|     echo "Please check your installation first, rather than selinux settings." |     echo "" | ||||||
|     echo |  | ||||||
|     exit 1 |     exit 1 | ||||||
| elif [ $RETVAL -ne 0 ]; then | elif [ $RETVAL -ne 0 ]; then | ||||||
|     echo "failed" |     echo "failed" | ||||||
|     echo |     echo "" | ||||||
|     echo "The sepgsql module was not loaded. So, our recommendation is to" |     echo "The 'sepgsql' module does not appear to be loaded.  Please verify" | ||||||
|     echo "confirm 'shared_preload_libraries' setting in postgresql.conf," |     echo "that the 'shared_preload_libraries' setting in postgresql.conf" | ||||||
|     echo "then restart server process." |     echo "includes sepgsql, and then stop and restart the server." | ||||||
|     echo "It must have '\$libdir/sepgsql' at least." |     echo "" | ||||||
|     echo |  | ||||||
|     exit 1 |     exit 1 | ||||||
| elif ! echo "$VAL" | grep -q 'off$'; then | elif ! echo "$VAL" | grep -q 'off$'; then | ||||||
|     echo "failed" |     echo "failed" | ||||||
|     echo |     echo "" | ||||||
|     echo "The GUC variable 'sepgsql.permissive' was set to 'on', although" |     echo "The GUC variable 'sepgsql.permissive' is set to 'on'.  It must be" | ||||||
|     echo "system configuration is enforcing mode." | 	echo "turned off before running the regression tests." | ||||||
|     echo "You should eliminate this setting from postgresql.conf, then" |     echo "" | ||||||
|     echo "restart server process." |  | ||||||
|     echo |  | ||||||
|     exit 1 |     exit 1 | ||||||
| fi | fi | ||||||
| echo "ok" | echo "ok" | ||||||
|  |  | ||||||
| # | # template1 database must be labeled | ||||||
| # Test.10 - 'template1' database must be labeled | echo -n "checking for labels in template1    ... " | ||||||
| # | NUM=`${CMD_PSQL} template1 -Atc 'SELECT count(*) FROM pg_catalog.pg_seclabel' 2>/dev/null` | ||||||
| echo -n "test template1 database       ... " |  | ||||||
|  |  | ||||||
| NUM=`${CMD_PSQL} template1 -tc 'SELECT count(*) FROM pg_catalog.pg_seclabel' 2>/dev/null` |  | ||||||
| if [ -z "${NUM}" -o "$NUM" -eq 0 ]; then | if [ -z "${NUM}" -o "$NUM" -eq 0 ]; then | ||||||
|     echo "failed!" |     echo "failed" | ||||||
|     echo |     echo "" | ||||||
|     echo "Initial labels must be assigned on the 'template1' database; that shall" |     echo "In order to regression test sepgsql, initial labels must be assigned" | ||||||
|     echo "be copied to the database for regression test." | 	echo "on the 'template1' database.  These labels will be copied into the" | ||||||
|  | 	echo "regression test database." | ||||||
|  | 	echo "" | ||||||
|     echo "See Installation section of the PostgreSQL documentation." |     echo "See Installation section of the PostgreSQL documentation." | ||||||
|     echo |     echo "" | ||||||
|     exit 1 |     exit 1 | ||||||
| fi | fi | ||||||
| echo "ok" | echo "found ${NUM}" | ||||||
|  |  | ||||||
| # | # | ||||||
| # check complete -  | # check complete -  | ||||||
| # | # | ||||||
| echo | echo "" | ||||||
| exit 0 | exit 0 | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user