summaryrefslogtreecommitdiffstats
path: root/contrib/sepgsql/test_sepgsql
diff options
context:
space:
mode:
Diffstat (limited to '')
-rwxr-xr-xcontrib/sepgsql/test_sepgsql306
1 files changed, 306 insertions, 0 deletions
diff --git a/contrib/sepgsql/test_sepgsql b/contrib/sepgsql/test_sepgsql
new file mode 100755
index 0000000..3a29556
--- /dev/null
+++ b/contrib/sepgsql/test_sepgsql
@@ -0,0 +1,306 @@
+#!/bin/sh
+#
+# Run the sepgsql regression tests, after making a lot of environmental checks
+# to try to ensure that the SELinux environment is set up appropriately and
+# the database is configured correctly.
+#
+# Note that this must be run against an installed Postgres database.
+# There's no equivalent of "make check", and that wouldn't be terribly useful
+# since much of the value is in checking that you installed sepgsql into
+# your database correctly.
+#
+# This must be run in the contrib/sepgsql directory of a Postgres build tree.
+#
+
+PG_BINDIR=`pg_config --bindir`
+
+# we must move to contrib/sepgsql directory to run pg_regress correctly
+cd `dirname $0`
+
+echo
+echo "============== checking selinux environment =============="
+
+# matchpathcon must be present to assess whether the installation environment
+# is OK.
+echo -n "checking for matchpathcon ... "
+if ! matchpathcon -n . >/dev/null 2>&1; then
+ echo "not found"
+ echo ""
+ echo "The matchpathcon command must be available."
+ echo "Please install it or update your PATH to include it"
+ echo "(it is typically in '/usr/sbin', which might not be in your PATH)."
+ echo "matchpathcon is typically included in the libselinux-utils package."
+ exit 1
+fi
+echo "ok"
+
+# runcon must be present to launch psql using the correct environment
+echo -n "checking for runcon ... "
+if ! runcon --help >/dev/null 2>&1; then
+ echo "not found"
+ echo ""
+ echo "The runcon command must be available."
+ echo "runcon is typically included in the coreutils package."
+ echo ""
+ exit 1
+fi
+echo "ok"
+
+# check sestatus too, since that lives in yet another package
+echo -n "checking for sestatus ... "
+if ! sestatus >/dev/null 2>&1; then
+ echo "not found"
+ echo ""
+ echo "The sestatus command must be available."
+ echo "sestatus is typically included in the policycoreutils package."
+ echo ""
+ exit 1
+fi
+echo "ok"
+
+# check that the user is running in the unconfined_t domain
+echo -n "checking current user domain ... "
+DOMAIN=`id -Z 2>/dev/null | sed 's/:/ /g' | awk '{print $3}'`
+echo ${DOMAIN:-failed}
+if [ "${DOMAIN}" != unconfined_t ]; then
+ echo ""
+ echo "The regression tests must be launched from the unconfined_t domain."
+ echo ""
+ echo "The unconfined_t domain is typically the default domain for user"
+ echo "shell processes. If the default has been changed on your system,"
+ echo "you can revert the changes like this:"
+ echo ""
+ echo " \$ sudo semanage login -d `whoami`"
+ echo ""
+ echo "Or, you can add a setting to log in using the unconfined_t domain:"
+ echo ""
+ echo " \$ sudo semanage login -a -s unconfined_u -r s0-s0:c0.c255 `whoami`"
+ echo ""
+ exit 1
+fi
+
+# SELinux must be configured in enforcing mode
+echo -n "checking selinux operating mode ... "
+CURRENT_MODE=`LANG=C sestatus | grep '^Current mode:' | awk '{print $3}'`
+echo ${CURRENT_MODE:-failed}
+if [ "${CURRENT_MODE}" = enforcing ]; then
+ : OK
+elif [ "${CURRENT_MODE}" = permissive -o "${CURRENT_MODE}" = disabled ]; then
+ echo ""
+ echo "Before running the regression tests, SELinux must be enabled and"
+ echo "must be running in enforcing mode."
+ echo ""
+ echo "If SELinux is currently running in permissive mode, you can"
+ echo "switch to enforcing mode using the 'setenforce' command."
+ echo
+ echo " \$ sudo setenforce 1"
+ echo ""
+ echo "The system default setting is configured in /etc/selinux/config,"
+ echo "or using a kernel boot parameter."
+ echo ""
+ exit 1
+else
+ echo ""
+ echo "Unable to determine the current selinux operating mode. Please"
+ echo "verify that the sestatus command is installed and in your PATH."
+ echo ""
+ exit 1
+fi
+
+# 'sepgsql-regtest' policy module must be loaded
+echo -n "checking for sepgsql-regtest policy ... "
+SELINUX_MNT=`LANG=C sestatus | grep '^SELinuxfs mount:' | awk '{print $3}'`
+if [ "$SELINUX_MNT" = "" ]; then
+ echo "failed"
+ echo ""
+ echo "Unable to find SELinuxfs mount point."
+ echo ""
+ echo "The sestatus command should report the location where SELinuxfs"
+ echo "is mounted, but did not do so."
+ echo ""
+ exit 1
+fi
+if [ ! -e "${SELINUX_MNT}/booleans/sepgsql_regression_test_mode" ]; then
+ echo "failed"
+ echo ""
+ echo "The 'sepgsql-regtest' policy module appears not to be installed."
+ echo "Without this policy installed, the regression tests will fail."
+ echo "You can install this module using the following commands:"
+ echo ""
+ echo " \$ make -f /usr/share/selinux/devel/Makefile"
+ echo " \$ sudo semodule -u sepgsql-regtest.pp"
+ echo ""
+ echo "To confirm that the policy package is installed, use this command:"
+ echo ""
+ echo " \$ sudo semodule -l | grep sepgsql"
+ echo ""
+ exit 1
+fi
+echo "ok"
+
+# Verify that sepgsql_regression_test_mode is active.
+echo -n "checking whether policy is enabled ... "
+POLICY_STATUS=`getsebool sepgsql_regression_test_mode | awk '{print $3}'`
+echo ${POLICY_STATUS:-failed}
+if [ "${POLICY_STATUS}" != on ]; then
+ echo ""
+ echo "The SELinux boolean 'sepgsql_regression_test_mode' must be"
+ echo "turned on in order to enable the rules necessary to run the"
+ echo "regression tests."
+ echo ""
+ if [ "${POLICY_STATUS}" = "" ]; then
+ echo "We attempted to determine the state of this Boolean using"
+ echo "'getsebool', but that command did not produce the expected"
+ echo "output. Please verify that getsebool is available and in"
+ echo "your PATH."
+ else
+ echo "You can turn on this variable using the following commands:"
+ echo ""
+ echo " \$ sudo setsebool sepgsql_regression_test_mode on"
+ echo ""
+ echo "For security reasons, it is suggested that you turn off this"
+ echo "variable when regression testing is complete and the associated"
+ echo "rules are no longer needed."
+ fi
+ echo ""
+ exit 1
+fi
+POLICY_STATUS=`getsebool sepgsql_enable_users_ddl | awk '{print $3}'`
+echo ${POLICY_STATUS:-failed}
+if [ "${POLICY_STATUS}" != on ]; then
+ echo ""
+ echo "The SELinux boolean 'sepgsql_enable_users_ddl' must be"
+ echo "turned on in order to enable the rules necessary to run"
+ echo "the regression tests."
+ echo ""
+ if [ "${POLICY_STATUS}" = "" ]; then
+ echo "We attempted to determine the state of this Boolean using"
+ echo "'getsebool', but that command did not produce the expected"
+ echo "output. Please verify that getsebool is available and in"
+ echo "your PATH."
+ else
+ echo "You can turn on this variable using the following commands:"
+ echo ""
+ echo " \$ sudo setsebool sepgsql_enable_users_ddl on"
+ echo ""
+ echo "For security reasons, it is suggested that you turn off this"
+ echo "variable when regression testing is complete, unless you"
+ echo "don't want to allow unprivileged users DDL commands."
+ fi
+ echo ""
+ exit 1
+fi
+
+# 'psql' command must be executable from test domain
+echo -n "checking whether we can run psql ... "
+CMD_PSQL="${PG_BINDIR}/psql"
+if [ ! -e "${CMD_PSQL}" ]; then
+ echo "not found"
+ echo
+ echo "${CMD_PSQL} was not found."
+ echo "Check your PostgreSQL installation."
+ echo
+ exit 1
+fi
+runcon -t sepgsql_regtest_user_t "${CMD_PSQL}" --help >& /dev/null
+if [ $? -ne 0 ]; then
+ echo "failed"
+ echo
+ echo "${CMD_PSQL} must be executable from the"
+ echo "sepgsql_regtest_user_t domain. That domain has restricted privileges"
+ echo "compared to unconfined_t, so the problem may be the psql file's"
+ echo "SELinux label. Try"
+ echo
+ PSQL_T=`matchpathcon -n "${CMD_PSQL}" | sed 's/:/ /g' | awk '{print $3}'`
+ if [ "${PSQL_T}" = "user_home_t" ]; then
+ # Installation appears to be in /home directory
+ echo " \$ sudo restorecon -R ${PG_BINDIR}"
+ echo
+ echo "Or, using chcon"
+ echo
+ echo " \$ sudo chcon -t user_home_t ${CMD_PSQL}"
+ else
+ echo " \$ sudo restorecon -R ${PG_BINDIR}"
+ echo
+ echo "Or, using chcon"
+ echo
+ echo " \$ sudo chcon -t bin_t ${CMD_PSQL}"
+ fi
+ echo
+ exit 1
+fi
+echo "ok"
+
+# loadable module must be installed and not configured to permissive mode
+echo -n "checking sepgsql installation ... "
+VAL="`${CMD_PSQL} -X -t -c 'SHOW sepgsql.permissive' template1 2>/dev/null`"
+RETVAL="$?"
+if [ $RETVAL -eq 2 ]; then
+ echo "failed"
+ echo ""
+ echo "Could not connect to the database server."
+ echo "Please check your PostgreSQL installation."
+ echo ""
+ exit 1
+elif [ $RETVAL -ne 0 ]; then
+ echo "failed"
+ echo ""
+ echo "The sepgsql module does not appear to be loaded. Please verify"
+ echo "that the 'shared_preload_libraries' setting in postgresql.conf"
+ echo "includes 'sepgsql', and then restart the server."
+ echo ""
+ echo "See Installation section of the contrib/sepgsql documentation."
+ echo ""
+ exit 1
+elif ! echo "$VAL" | grep -q 'off$'; then
+ echo "failed"
+ echo ""
+ echo "The parameter 'sepgsql.permissive' is set to 'on'. It must be"
+ echo "turned off before running the regression tests."
+ echo ""
+ exit 1
+fi
+echo "ok"
+
+# template1 database must be labeled
+# NOTE: this test is wrong; we really ought to be checking template0.
+# But we can't connect to that without extra pushups, and it's not worth it.
+echo -n "checking for labels in template1 ... "
+NUM=`${CMD_PSQL} -XAt -c 'SELECT count(*) FROM pg_catalog.pg_seclabel' template1 2>/dev/null`
+if [ -z "${NUM}" ]; then
+ echo "failed"
+ echo ""
+ echo "In order to test sepgsql, initial labels must be assigned within"
+ echo "the 'template1' database. These labels will be copied into the"
+ echo "regression test database."
+ echo ""
+ echo "See Installation section of the contrib/sepgsql documentation."
+ echo ""
+ exit 1
+fi
+echo "found ${NUM}"
+
+#
+# checking complete - let's run the tests
+#
+
+echo
+echo "============== running sepgsql regression tests =============="
+
+tests="label dml ddl alter misc"
+
+# Check if the truncate permission exists in the loaded policy, and if so,
+# run the truncate test
+#
+# Testing the TRUNCATE regression test can be done by manually adding
+# the permission with CIL if necessary:
+# sudo semodule -cE base
+# sudo sed -i -E 's/(class db_table.*?) \)/\1 truncate\)/' base.cil
+# sudo semodule -i base.cil
+
+if [ -f /sys/fs/selinux/class/db_table/perms/truncate ]; then
+ tests+=" truncate"
+fi
+
+make REGRESS="$tests" REGRESS_OPTS="--launcher ./launcher" installcheck
+# exit with the exit code provided by "make"