Adding upstream version 14.5.upstream/14.5upstream

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 306 insertions, 0 deletions

diff --git a/contrib/sepgsql/test_sepgsql b/contrib/sepgsql/test_sepgsql
new file mode 100755
index 0000000..3a29556
--- /dev/null
+++ b/contrib/sepgsql/test_sepgsql
@@ -0,0 +1,306 @@
+#!/bin/sh
+#
+# Run the sepgsql regression tests, after making a lot of environmental checks
+# to try to ensure that the SELinux environment is set up appropriately and
+# the database is configured correctly.
+#
+# Note that this must be run against an installed Postgres database.
+# There's no equivalent of "make check", and that wouldn't be terribly useful
+# since much of the value is in checking that you installed sepgsql into
+# your database correctly.
+#
+# This must be run in the contrib/sepgsql directory of a Postgres build tree.
+#
+
+PG_BINDIR=`pg_config --bindir`
+
+# we must move to contrib/sepgsql directory to run pg_regress correctly
+cd `dirname $0`
+
+echo
+echo "============== checking selinux environment           =============="
+
+# matchpathcon must be present to assess whether the installation environment
+# is OK.
+echo -n "checking for matchpathcon           ... "
+if ! matchpathcon -n . >/dev/null 2>&1; then
+    echo "not found"
+    echo ""
+    echo "The matchpathcon command must be available."
+    echo "Please install it or update your PATH to include it"
+    echo "(it is typically in '/usr/sbin', which might not be in your PATH)."
+    echo "matchpathcon is typically included in the libselinux-utils package."
+    exit 1
+fi
+echo "ok"
+
+# runcon must be present to launch psql using the correct environment
+echo -n "checking for runcon                 ... "
+if ! runcon --help >/dev/null 2>&1; then
+    echo "not found"
+    echo ""
+    echo "The runcon command must be available."
+    echo "runcon is typically included in the coreutils package."
+    echo ""
+    exit 1
+fi
+echo "ok"
+
+# check sestatus too, since that lives in yet another package
+echo -n "checking for sestatus               ... "
+if ! sestatus >/dev/null 2>&1; then
+    echo "not found"
+    echo ""
+    echo "The sestatus command must be available."
+    echo "sestatus is typically included in the policycoreutils package."
+    echo ""
+    exit 1
+fi
+echo "ok"
+
+# check that the user is running in the unconfined_t domain
+echo -n "checking current user domain        ... "
+DOMAIN=`id -Z 2>/dev/null | sed 's/:/ /g' | awk '{print $3}'`
+echo ${DOMAIN:-failed}
+if [ "${DOMAIN}" != unconfined_t ]; then
+    echo ""
+    echo "The regression tests must be launched from the unconfined_t domain."
+    echo ""
+    echo "The unconfined_t domain is typically the default domain for user"
+    echo "shell processes.  If the default has been changed on your system,"
+    echo "you can revert the changes like this:"
+    echo ""
+    echo "  \$ sudo semanage login -d `whoami`"
+    echo ""
+    echo "Or, you can add a setting to log in using the unconfined_t domain:"
+    echo ""
+    echo "  \$ sudo semanage login -a -s unconfined_u -r s0-s0:c0.c255 `whoami`"
+    echo ""
+    exit 1
+fi
+
+# SELinux must be configured in enforcing mode
+echo -n "checking selinux operating mode     ... "
+CURRENT_MODE=`LANG=C sestatus | grep '^Current mode:' | awk '{print $3}'`
+echo ${CURRENT_MODE:-failed}
+if [ "${CURRENT_MODE}" = enforcing ]; then
+    : OK
+elif [ "${CURRENT_MODE}" = permissive -o "${CURRENT_MODE}" = disabled ]; then
+    echo ""
+    echo "Before running the regression tests, SELinux must be enabled and"
+    echo "must be running in enforcing mode."
+    echo ""
+    echo "If SELinux is currently running in permissive mode, you can"
+    echo "switch to enforcing mode using the 'setenforce' command."
+    echo
+    echo "  \$ sudo setenforce 1"
+    echo ""
+    echo "The system default setting is configured in /etc/selinux/config,"
+    echo "or using a kernel boot parameter."
+    echo ""
+    exit 1
+else
+    echo ""
+    echo "Unable to determine the current selinux operating mode.  Please"
+    echo "verify that the sestatus command is installed and in your PATH."
+    echo ""
+    exit 1
+fi
+
+# 'sepgsql-regtest' policy module must be loaded
+echo -n "checking for sepgsql-regtest policy ... "
+SELINUX_MNT=`LANG=C sestatus | grep '^SELinuxfs mount:' | awk '{print $3}'`
+if [ "$SELINUX_MNT" = "" ]; then
+    echo "failed"
+    echo ""
+    echo "Unable to find SELinuxfs mount point."
+    echo ""
+    echo "The sestatus command should report the location where SELinuxfs"
+    echo "is mounted, but did not do so."
+    echo ""
+    exit 1
+fi
+if [ ! -e "${SELINUX_MNT}/booleans/sepgsql_regression_test_mode" ]; then
+    echo "failed"
+    echo ""
+    echo "The 'sepgsql-regtest' policy module appears not to be installed."
+    echo "Without this policy installed, the regression tests will fail."
+    echo "You can install this module using the following commands:"
+    echo ""
+    echo "  \$ make -f /usr/share/selinux/devel/Makefile"
+    echo "  \$ sudo semodule -u sepgsql-regtest.pp"
+    echo ""
+    echo "To confirm that the policy package is installed, use this command:"
+    echo ""
+    echo "  \$ sudo semodule -l | grep sepgsql"
+    echo ""
+    exit 1
+fi
+echo "ok"
+
+# Verify that sepgsql_regression_test_mode is active.
+echo -n "checking whether policy is enabled  ... "
+POLICY_STATUS=`getsebool sepgsql_regression_test_mode | awk '{print $3}'`
+echo ${POLICY_STATUS:-failed}
+if [ "${POLICY_STATUS}" != on ]; then
+    echo ""
+    echo "The SELinux boolean 'sepgsql_regression_test_mode' must be"
+    echo "turned on in order to enable the rules necessary to run the"
+    echo "regression tests."
+    echo ""
+    if [ "${POLICY_STATUS}" = "" ]; then
+        echo "We attempted to determine the state of this Boolean using"
+        echo "'getsebool', but that command did not produce the expected"
+        echo "output.  Please verify that getsebool is available and in"
+        echo "your PATH."
+    else
+        echo "You can turn on this variable using the following commands:"
+        echo ""
+        echo "  \$ sudo setsebool sepgsql_regression_test_mode on"
+        echo ""
+        echo "For security reasons, it is suggested that you turn off this"
+        echo "variable when regression testing is complete and the associated"
+        echo "rules are no longer needed."
+    fi
+    echo ""
+    exit 1
+fi
+POLICY_STATUS=`getsebool sepgsql_enable_users_ddl | awk '{print $3}'`
+echo ${POLICY_STATUS:-failed}
+if [ "${POLICY_STATUS}" != on ]; then
+    echo ""
+    echo "The SELinux boolean 'sepgsql_enable_users_ddl' must be"
+    echo "turned on in order to enable the rules necessary to run"
+    echo "the regression tests."
+    echo ""
+    if [ "${POLICY_STATUS}" = "" ]; then
+        echo "We attempted to determine the state of this Boolean using"
+        echo "'getsebool', but that command did not produce the expected"
+        echo "output.  Please verify that getsebool is available and in"
+        echo "your PATH."
+    else
+        echo "You can turn on this variable using the following commands:"
+        echo ""
+        echo "  \$ sudo setsebool sepgsql_enable_users_ddl on"
+        echo ""
+        echo "For security reasons, it is suggested that you turn off this"
+        echo "variable when regression testing is complete, unless you"
+        echo "don't want to allow unprivileged users DDL commands."
+    fi
+    echo ""
+    exit 1
+fi
+
+# 'psql' command must be executable from test domain
+echo -n "checking whether we can run psql    ... "
+CMD_PSQL="${PG_BINDIR}/psql"
+if [ ! -e "${CMD_PSQL}" ]; then
+    echo "not found"
+    echo
+    echo "${CMD_PSQL} was not found."
+    echo "Check your PostgreSQL installation."
+    echo
+    exit 1
+fi
+runcon -t sepgsql_regtest_user_t "${CMD_PSQL}" --help >& /dev/null
+if [ $? -ne 0 ]; then
+    echo "failed"
+    echo
+    echo "${CMD_PSQL} must be executable from the"
+    echo "sepgsql_regtest_user_t domain. That domain has restricted privileges"
+    echo "compared to unconfined_t, so the problem may be the psql file's"
+    echo "SELinux label. Try"
+    echo
+    PSQL_T=`matchpathcon -n "${CMD_PSQL}" | sed 's/:/ /g' | awk '{print $3}'`
+    if [ "${PSQL_T}" = "user_home_t" ]; then
+        # Installation appears to be in /home directory
+        echo "  \$ sudo restorecon -R ${PG_BINDIR}"
+        echo
+        echo "Or, using chcon"
+        echo
+        echo "  \$ sudo chcon -t user_home_t ${CMD_PSQL}"
+    else
+        echo "  \$ sudo restorecon -R ${PG_BINDIR}"
+        echo
+        echo "Or, using chcon"
+        echo
+        echo "  \$ sudo chcon -t bin_t ${CMD_PSQL}"
+    fi
+    echo
+    exit 1
+fi
+echo "ok"
+
+# loadable module must be installed and not configured to permissive mode
+echo -n "checking sepgsql installation       ... "
+VAL="`${CMD_PSQL} -X -t -c 'SHOW sepgsql.permissive' template1 2>/dev/null`"
+RETVAL="$?"
+if [ $RETVAL -eq 2 ]; then
+    echo "failed"
+    echo ""
+    echo "Could not connect to the database server."
+    echo "Please check your PostgreSQL installation."
+    echo ""
+    exit 1
+elif [ $RETVAL -ne 0 ]; then
+    echo "failed"
+    echo ""
+    echo "The sepgsql module does not appear to be loaded.  Please verify"
+    echo "that the 'shared_preload_libraries' setting in postgresql.conf"
+    echo "includes 'sepgsql', and then restart the server."
+    echo ""
+    echo "See Installation section of the contrib/sepgsql documentation."
+    echo ""
+    exit 1
+elif ! echo "$VAL" | grep -q 'off$'; then
+    echo "failed"
+    echo ""
+    echo "The parameter 'sepgsql.permissive' is set to 'on'.  It must be"
+    echo "turned off before running the regression tests."
+    echo ""
+    exit 1
+fi
+echo "ok"
+
+# template1 database must be labeled
+# NOTE: this test is wrong; we really ought to be checking template0.
+# But we can't connect to that without extra pushups, and it's not worth it.
+echo -n "checking for labels in template1    ... "
+NUM=`${CMD_PSQL} -XAt -c 'SELECT count(*) FROM pg_catalog.pg_seclabel' template1 2>/dev/null`
+if [ -z "${NUM}" ]; then
+    echo "failed"
+    echo ""
+    echo "In order to test sepgsql, initial labels must be assigned within"
+    echo "the 'template1' database.  These labels will be copied into the"
+    echo "regression test database."
+    echo ""
+    echo "See Installation section of the contrib/sepgsql documentation."
+    echo ""
+    exit 1
+fi
+echo "found ${NUM}"
+
+#
+# checking complete - let's run the tests
+#
+
+echo
+echo "============== running sepgsql regression tests       =============="
+
+tests="label dml ddl alter misc"
+
+# Check if the truncate permission exists in the loaded policy, and if so,
+# run the truncate test
+#
+# Testing the TRUNCATE regression test can be done by manually adding
+# the permission with CIL if necessary:
+#     sudo semodule -cE base
+#     sudo sed -i -E 's/(class db_table.*?) \)/\1 truncate\)/' base.cil
+#     sudo semodule -i base.cil
+
+if [ -f /sys/fs/selinux/class/db_table/perms/truncate ]; then
+	tests+=" truncate"
+fi
+
+make REGRESS="$tests" REGRESS_OPTS="--launcher ./launcher" installcheck
+# exit with the exit code provided by "make"