mirror of
https://github.com/postgres/postgres.git
synced 2025-07-27 12:41:57 +03:00
Fix sepgsql regression tests.
The regression tests for sepgsql were broken by changes in the base distro as-shipped policies. Specifically, definition of unconfined_t in the system default policy was changed to bypass multi-category rules, which the regression test depended on. Fix that by defining a custom privileged domain (sepgsql_regtest_superuser_t) and using it instead of system's unconfined_t domain. The new sepgsql_regtest_superuser_t domain performs almost like the current unconfined_t, but restricted by multi-category policy as the traditional unconfined_t was. The custom policy module is a self defined domain, and so should not be affected by related future system policy changes. However, it still uses the unconfined_u:unconfined_r pair for selinux-user and role. Those definitions have not been changed for several years and seem less risky to rely on than the unconfined_t domain. Additionally, if we define custom user/role, they would need to be manually defined at the operating system level, adding more complexity to an already non-standard and complex regression test. Back-patch to 9.3. The regression tests will need more work before working correctly on 9.2. Starting with 9.2, sepgsql has had dependencies on libselinux versions that are only available on newer distros with the changed set of policies (e.g. RHEL 7.x). On 9.1 sepgsql works fine with the older distros with original policy set (e.g. RHEL 6.x), and on which the existing regression tests work fine. We might want eventually change 9.1 sepgsql regression tests to be more independent from the underlying OS policies, however more work will be needed to make that happen and it is not clear that it is worth the effort. Kohei KaiGai with review by Adam Brightwell and me, commentary by Stephen, Alvaro, Tom, Robert, and others.
This commit is contained in:
Joe Conway
@ -1,4 +1,4 @@
|
||||
policy_module(sepgsql-regtest, 1.07)
|
||||
policy_module(sepgsql-regtest, 1.08)
|
||||
|
||||
gen_require(`
|
||||
all_userspace_class_perms
|
||||
@ -23,6 +23,35 @@ postgresql_procedure_object(sepgsql_nosuch_trusted_proc_exec_t)
|
||||
type sepgsql_regtest_invisible_schema_t;
|
||||
postgresql_schema_object(sepgsql_regtest_invisible_schema_t);
|
||||
|
||||
#
|
||||
# Test domains for self defined unconfined / superuser
|
||||
#
|
||||
role sepgsql_regtest_superuser_r;
|
||||
userdom_base_user_template(sepgsql_regtest_superuser)
|
||||
userdom_manage_home_role(sepgsql_regtest_superuser_r, sepgsql_regtest_superuser_t)
|
||||
userdom_exec_user_home_content_files(sepgsql_regtest_superuser_t)
|
||||
userdom_write_user_tmp_sockets(sepgsql_regtest_superuser_t)
|
||||
optional_policy(`
|
||||
postgresql_stream_connect(sepgsql_regtest_superuser_t)
|
||||
postgresql_unconfined(sepgsql_regtest_superuser_t)
|
||||
')
|
||||
optional_policy(`
|
||||
unconfined_stream_connect(sepgsql_regtest_superuser_t)
|
||||
unconfined_rw_pipes(sepgsql_regtest_superuser_t)
|
||||
')
|
||||
optional_policy(`
|
||||
gen_require(`
|
||||
attribute sepgsql_client_type;
|
||||
')
|
||||
allow sepgsql_regtest_superuser_t self : process { setcurrent };
|
||||
allow sepgsql_regtest_superuser_t { self sepgsql_client_type } : process { dyntransition };
|
||||
')
|
||||
|
||||
# Type transition rules
|
||||
allow sepgsql_regtest_user_t sepgsql_regtest_dba_t : process { transition };
|
||||
type_transition sepgsql_regtest_user_t sepgsql_regtest_trusted_proc_exec_t:process sepgsql_regtest_dba_t;
|
||||
type_transition sepgsql_regtest_user_t sepgsql_nosuch_trusted_proc_exec_t:process sepgsql_regtest_nosuch_t;
|
||||
|
||||
#
|
||||
# Test domains for database administrators
|
||||
#
|
||||
@ -156,10 +185,12 @@ optional_policy(`
|
||||
tunable_policy(`sepgsql_regression_test_mode',`
|
||||
allow unconfined_t self : process { setcurrent dyntransition };
|
||||
allow unconfined_t sepgsql_regtest_dba_t : process { transition dyntransition };
|
||||
allow unconfined_t sepgsql_regtest_superuser_t : process { transition dyntransition };
|
||||
allow unconfined_t sepgsql_regtest_user_t : process { transition dyntransition };
|
||||
allow unconfined_t sepgsql_regtest_pool_t : process { transition dyntransition };
|
||||
')
|
||||
role unconfined_r types sepgsql_regtest_dba_t;
|
||||
role unconfined_r types sepgsql_regtest_superuser_t;
|
||||
role unconfined_r types sepgsql_regtest_user_t;
|
||||
role unconfined_r types sepgsql_regtest_nosuch_t;
|
||||
role unconfined_r types sepgsql_trusted_proc_t;
|
||||
@ -169,6 +200,32 @@ optional_policy(`
|
||||
role unconfined_r types sepgsql_regtest_var_t;
|
||||
')
|
||||
|
||||
#
|
||||
# Rule to make MCS policy work on regression test
|
||||
#
|
||||
# NOTE: MCS (multi category security) policy was enabled by default, to
|
||||
# allow DAC style access control, in the previous selinux policy.
|
||||
# However, its definition was changed later, then a limited number of
|
||||
# applications are restricted by MCS policy, for container features
|
||||
# mainly. The rules below enables MCS policy for domains of regression
|
||||
# test also, even if base security policy does not apply. If base policy
|
||||
# is old and MCS is enabled in default, rules below does nothing.
|
||||
#
|
||||
optional_policy(`
|
||||
gen_require(`
|
||||
type sepgsql_trusted_proc_t;
|
||||
')
|
||||
mcs_constrained(sepgsql_regtest_dba_t)
|
||||
mcs_constrained(sepgsql_regtest_superuser_t)
|
||||
mcs_constrained(sepgsql_regtest_user_t)
|
||||
mcs_constrained(sepgsql_regtest_nosuch_t)
|
||||
mcs_constrained(sepgsql_trusted_proc_t)
|
||||
|
||||
mcs_constrained(sepgsql_regtest_pool_t)
|
||||
mcs_constrained(sepgsql_regtest_foo_t)
|
||||
mcs_constrained(sepgsql_regtest_var_t)
|
||||
')
|
||||
|
||||
#
|
||||
# Rule to execute original trusted procedures
|
||||
#
|
||||
|
||||
Reference in New Issue
Block a user