|
| 1 | +#!/bin/sh |
| 2 | +# |
| 3 | +# SELinux environment checks to ensure configuration of the operating system |
| 4 | +# satisfies prerequisites to run regression test. |
| 5 | +# If incorrect settings are found, this script suggest user a hint. |
| 6 | +# |
| 7 | +PG_BINDIR="$1" |
| 8 | +PG_DATADIR="$2" |
| 9 | + |
| 10 | +echo |
| 11 | +echo"============== checking selinux environment ==============" |
| 12 | + |
| 13 | +# |
| 14 | +# Test.1 - must be launched at unconfined_t domain |
| 15 | +# |
| 16 | +echo -n"test unconfined_t domain ..." |
| 17 | + |
| 18 | +DOMAIN=`id -Z2>/dev/null| sed's/:/ /g'| awk'{print $3}'` |
| 19 | +if ["${DOMAIN}"!="unconfined_t" ];then |
| 20 | +echo"failed" |
| 21 | +echo |
| 22 | +echo"This regression test needs to be launched on unconfined_t domain." |
| 23 | +echo |
| 24 | +echo"The unconfined_t domain is mostly default domain of users' shell" |
| 25 | +echo"process. So, we suggest you to revert your special configuration" |
| 26 | +echo"on your system, as follows:" |
| 27 | +echo |
| 28 | +echo"\$ su -" |
| 29 | +echo" # semanage login -d`whoami`" |
| 30 | +echo |
| 31 | +echo"Or, add a setting to login as unconfined_t domain" |
| 32 | +echo |
| 33 | +echo"\$ su -" |
| 34 | +echo" # semanage login -a -s unconfined_u -r s0-s0:c0.c255`whoami`" |
| 35 | +echo |
| 36 | +exit 1 |
| 37 | +fi |
| 38 | +echo"ok" |
| 39 | + |
| 40 | +# |
| 41 | +# Test.2 - 'runcon' must exist and be executable |
| 42 | +# |
| 43 | +echo -n"test runon command ..." |
| 44 | + |
| 45 | +CMD_RUNCON="`which runcon2>/dev/null`" |
| 46 | +if [!-x"${CMD_RUNCON}" ];then |
| 47 | +echo"failed" |
| 48 | +echo |
| 49 | +echo"The runcon must exist and be executable; it is internally used to" |
| 50 | +echo"launch psql command with a particular domain. It is mostly included" |
| 51 | +echo"within coreutils package. So, our suggestion is to install the latest" |
| 52 | +echo"version of this package." |
| 53 | +echo |
| 54 | +exit 1 |
| 55 | +fi |
| 56 | +echo"ok" |
| 57 | + |
| 58 | +# |
| 59 | +# Test.3 - 'sestatus' must exist and be executable |
| 60 | +# |
| 61 | +echo -n"test sestatus command ..." |
| 62 | + |
| 63 | +CMD_SESTATUS="`which sestatus2>/dev/null`" |
| 64 | +if [!-x"${CMD_SESTATUS}" ];then |
| 65 | +echo"failed" |
| 66 | +echo |
| 67 | +echo"The sestatus should exist and be executable; it is internally used to" |
| 68 | +echo"this checks; to show configuration of SELinux. It is mostly included" |
| 69 | +echo"within policycoreutils package. So, our suggestion is to install the" |
| 70 | +echo"latest version of this package." |
| 71 | +echo |
| 72 | +exit 1 |
| 73 | +fi |
| 74 | +echo"ok" |
| 75 | + |
| 76 | +# |
| 77 | +# Test.4 - 'getsebool' must exist and be executable |
| 78 | +# |
| 79 | +echo -n"test getsebool command ..." |
| 80 | + |
| 81 | +CMD_GETSEBOOL="`which getsebool`" |
| 82 | +if [!-x"${CMD_GETSEBOOL}" ];then |
| 83 | +echo"failed" |
| 84 | +echo |
| 85 | +echo"The getsebool should exist and be executable; it is internally used to" |
| 86 | +echo"this checks; to show current setting of SELinux boolean variables." |
| 87 | +echo"It is mostly included within libselinux-utils package. So, our suggestion" |
| 88 | +echo"is to install the latest version of this package." |
| 89 | +echo |
| 90 | +exit 1 |
| 91 | +fi |
| 92 | +echo"ok" |
| 93 | + |
| 94 | +# |
| 95 | +# Test.5 - SELinux must be configured to enforcing mode |
| 96 | +# |
| 97 | +echo -n"test enforcing mode ..." |
| 98 | + |
| 99 | +CURRENT_MODE=`env LANG=C${CMD_SESTATUS}| grep'Current mode:'| awk'{print $3}'` |
| 100 | +if ["${CURRENT_MODE}"!="enforcing" ];then |
| 101 | +echo"failed" |
| 102 | +echo |
| 103 | +echo"SELinux must be configured to 'enforcing' mode." |
| 104 | +echo"You can switch SELinux to enforcing mode using setenforce command," |
| 105 | +echo"as follows:" |
| 106 | +echo |
| 107 | +echo"\$ su -" |
| 108 | +echo" # setenforce 1" |
| 109 | +echo |
| 110 | +echo"The system default setting is configured at /etc/selinux/config," |
| 111 | +echo"or kernel bool parameter. Please also check it, if you see this" |
| 112 | +echo"message although you didn't switch to permissive mode." |
| 113 | +echo |
| 114 | +exit 1 |
| 115 | +fi |
| 116 | +echo"ok" |
| 117 | + |
| 118 | +# |
| 119 | +# Test.6 - 'sepgsql-regtest' policy module must be loaded |
| 120 | +# |
| 121 | +echo -n"test sepgsql-regtest policy ..." |
| 122 | + |
| 123 | +SELINUX_MNT=`env LANG=C${CMD_SESTATUS}| grep'^SELinuxfs mount:'| awk'{print $3}'` |
| 124 | +if [!-e${SELINUX_MNT}/booleans/sepgsql_regression_test_mode ];then |
| 125 | +echo"failed" |
| 126 | +echo |
| 127 | +echo"The 'sepgsql-regtest' policy module must be installed; that provide" |
| 128 | +echo"a set of special rules for this regression test." |
| 129 | +echo"You can install this module as follows:" |
| 130 | +echo |
| 131 | +echo"\$ make -f /usr/share/selinux/devel/Makefile -C contrib/selinux" |
| 132 | +echo"\$ su" |
| 133 | +echo" # semodule -i contrib/sepgsql/sepgsql-regtest.pp" |
| 134 | +echo |
| 135 | +echo"Then, you can confirm the policy package being installed, as follows:" |
| 136 | +echo |
| 137 | +echo" # semodule -l | grep sepgsql" |
| 138 | +echo |
| 139 | +exit 1 |
| 140 | +fi |
| 141 | +echo"ok" |
| 142 | + |
| 143 | +# |
| 144 | +# Test.7 - 'sepgsql_regression_test_mode' must be turned on |
| 145 | +# |
| 146 | +echo -n"test selinux boolean ..." |
| 147 | + |
| 148 | +if!${CMD_GETSEBOOL} sepgsql_regression_test_mode| grep -q' on$';then |
| 149 | +echo"failed" |
| 150 | +echo |
| 151 | +echo"The boolean variable of 'sepgsql_regression_test_mode' must be" |
| 152 | +echo"turned. It affects an internal state of SELinux policy, then" |
| 153 | +echo"a set of rules to run regression test will be activated." |
| 154 | +echo"You can turn on this variable as follows:" |
| 155 | +echo |
| 156 | +echo"\$ su -" |
| 157 | +echo" # setsebool sepgsql_regression_test_mode 1" |
| 158 | +echo |
| 159 | +echo"Also note that we recommend to turn off this variable after the" |
| 160 | +echo"regression test, because it activates unnecessary rules." |
| 161 | +echo |
| 162 | +exit 1 |
| 163 | +fi |
| 164 | +echo"ok" |
| 165 | + |
| 166 | +# |
| 167 | +# Test.8 - 'psql' command must be labeled as 'bin_t' type |
| 168 | +# |
| 169 | +echo -n"test label of psql ..." |
| 170 | + |
| 171 | +CMD_PSQL="${PG_BINDIR}/psql" |
| 172 | +LABEL_PSQL=`stat -c'%C'${CMD_PSQL}| sed's/:/ /g'| awk'{print $3}'` |
| 173 | +if ["${LABEL_PSQL}"!="bin_t" ];then |
| 174 | +echo"failed" |
| 175 | +echo |
| 176 | +echo"The${CMD_PSQL} must be labeled as bin_t type." |
| 177 | +echo"You can assign right label using restorecon, as follows:" |
| 178 | +echo |
| 179 | +echo"\$ su - (not needed, if you owns installation directory)" |
| 180 | +echo" # restorecon -R${PG_BINDIR}" |
| 181 | +echo |
| 182 | +echo"Or, using chcon" |
| 183 | +echo |
| 184 | +echo" # chcon -t bin_t${CMD_PSQL}" |
| 185 | +echo |
| 186 | +exit 1 |
| 187 | +fi |
| 188 | +echo"ok" |
| 189 | + |
| 190 | +# |
| 191 | +# Test.9 - 'sepgsql' must be installed |
| 192 | +# and, not configured to permissive mode |
| 193 | +# |
| 194 | +echo -n"test sepgsql installation ..." |
| 195 | + |
| 196 | +VAL="`${CMD_PSQL} template1 -tc'SHOW sepgsql.permissive'2>/dev/null`" |
| 197 | +RETVAL="$?" |
| 198 | +if [$RETVAL-eq 2 ];then |
| 199 | +echo"failed" |
| 200 | +echo |
| 201 | +echo"The postgresql server process is not connectable." |
| 202 | +echo"Please check your installation first, rather than selinux settings." |
| 203 | +echo |
| 204 | +exit 1 |
| 205 | +elif [$RETVAL-ne 0 ];then |
| 206 | +echo"failed" |
| 207 | +echo |
| 208 | +echo"The sepgsql module was not loaded. So, our recommendation is to" |
| 209 | +echo"confirm 'shared_preload_libraries' setting in postgresql.conf," |
| 210 | +echo"then restart server process." |
| 211 | +echo"It must have '\$libdir/sepgsql' at least." |
| 212 | +echo |
| 213 | +exit 1 |
| 214 | +elif!echo"$VAL"| grep -q'off$';then |
| 215 | +echo"failed" |
| 216 | +echo |
| 217 | +echo"The GUC variable 'sepgsql.permissive' was set to 'on', although" |
| 218 | +echo"system configuration is enforcing mode." |
| 219 | +echo"You should eliminate this setting from postgresql.conf, then" |
| 220 | +echo"restart server process." |
| 221 | +echo |
| 222 | +exit 1 |
| 223 | +fi |
| 224 | +echo"ok" |
| 225 | + |
| 226 | +# |
| 227 | +# Test.10 - 'template1' database must be labeled |
| 228 | +# |
| 229 | +echo -n"test template1 database ..." |
| 230 | + |
| 231 | +NUM=`${CMD_PSQL} template1 -tc'SELECT count(*) FROM pg_catalog.pg_seclabel'2>/dev/null` |
| 232 | +if [-z"${NUM}"-o"$NUM"-eq 0 ];then |
| 233 | +echo"failed!" |
| 234 | +echo |
| 235 | +echo"Initial labels must be assigned on the 'template1' database; that shall" |
| 236 | +echo"be copied to the database for regression test." |
| 237 | +echo"See Installation section of the PostgreSQL documentation." |
| 238 | +echo |
| 239 | +exit 1 |
| 240 | +fi |
| 241 | +echo"ok" |
| 242 | + |
| 243 | +# |
| 244 | +# check complete - |
| 245 | +# |
| 246 | +echo |
| 247 | +exit 0 |