Movatterモバイル変換


[0]ホーム

URL:


Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

Sign up
Appearance settings

Commit8cca49d

Browse files
committed
Add some environment checks prior to sepgsql regression testing.
This probably needs more work, but it's a start.KaiGai Kohei
1 parentf5af8ee commit8cca49d

File tree

3 files changed

+253
-2
lines changed

3 files changed

+253
-2
lines changed

‎contrib/sepgsql/Makefile

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@ OBJS = hooks.o selinux.o label.o dml.o \
55
schema.o relation.o proc.o
66
DATA_built = sepgsql.sql
77
REGRESS = label dml misc
8+
REGRESS_PREP = check_selinux_environment
89
EXTRA_CLEAN = -r tmp *.pp sepgsql-regtest.if sepgsql-regtest.fc
910

1011
ifdefUSE_PGXS
@@ -20,3 +21,6 @@ endif
2021

2122
SHLIB_LINK +=$(filter -lselinux,$(LIBS))
2223
REGRESS_OPTS += --launcher$(top_builddir)/contrib/sepgsql/launcher
24+
25+
check_selinux_environment:
26+
@$(top_builddir)/contrib/sepgsql/chkselinuxenv"$(bindir)""$(datadir)"

‎contrib/sepgsql/chkselinuxenv

Lines changed: 247 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,247 @@
1+
#!/bin/sh
2+
#
3+
# SELinux environment checks to ensure configuration of the operating system
4+
# satisfies prerequisites to run regression test.
5+
# If incorrect settings are found, this script suggest user a hint.
6+
#
7+
PG_BINDIR="$1"
8+
PG_DATADIR="$2"
9+
10+
echo
11+
echo"============== checking selinux environment =============="
12+
13+
#
14+
# Test.1 - must be launched at unconfined_t domain
15+
#
16+
echo -n"test unconfined_t domain ..."
17+
18+
DOMAIN=`id -Z2>/dev/null| sed's/:/ /g'| awk'{print $3}'`
19+
if ["${DOMAIN}"!="unconfined_t" ];then
20+
echo"failed"
21+
echo
22+
echo"This regression test needs to be launched on unconfined_t domain."
23+
echo
24+
echo"The unconfined_t domain is mostly default domain of users' shell"
25+
echo"process. So, we suggest you to revert your special configuration"
26+
echo"on your system, as follows:"
27+
echo
28+
echo"\$ su -"
29+
echo" # semanage login -d`whoami`"
30+
echo
31+
echo"Or, add a setting to login as unconfined_t domain"
32+
echo
33+
echo"\$ su -"
34+
echo" # semanage login -a -s unconfined_u -r s0-s0:c0.c255`whoami`"
35+
echo
36+
exit 1
37+
fi
38+
echo"ok"
39+
40+
#
41+
# Test.2 - 'runcon' must exist and be executable
42+
#
43+
echo -n"test runon command ..."
44+
45+
CMD_RUNCON="`which runcon2>/dev/null`"
46+
if [!-x"${CMD_RUNCON}" ];then
47+
echo"failed"
48+
echo
49+
echo"The runcon must exist and be executable; it is internally used to"
50+
echo"launch psql command with a particular domain. It is mostly included"
51+
echo"within coreutils package. So, our suggestion is to install the latest"
52+
echo"version of this package."
53+
echo
54+
exit 1
55+
fi
56+
echo"ok"
57+
58+
#
59+
# Test.3 - 'sestatus' must exist and be executable
60+
#
61+
echo -n"test sestatus command ..."
62+
63+
CMD_SESTATUS="`which sestatus2>/dev/null`"
64+
if [!-x"${CMD_SESTATUS}" ];then
65+
echo"failed"
66+
echo
67+
echo"The sestatus should exist and be executable; it is internally used to"
68+
echo"this checks; to show configuration of SELinux. It is mostly included"
69+
echo"within policycoreutils package. So, our suggestion is to install the"
70+
echo"latest version of this package."
71+
echo
72+
exit 1
73+
fi
74+
echo"ok"
75+
76+
#
77+
# Test.4 - 'getsebool' must exist and be executable
78+
#
79+
echo -n"test getsebool command ..."
80+
81+
CMD_GETSEBOOL="`which getsebool`"
82+
if [!-x"${CMD_GETSEBOOL}" ];then
83+
echo"failed"
84+
echo
85+
echo"The getsebool should exist and be executable; it is internally used to"
86+
echo"this checks; to show current setting of SELinux boolean variables."
87+
echo"It is mostly included within libselinux-utils package. So, our suggestion"
88+
echo"is to install the latest version of this package."
89+
echo
90+
exit 1
91+
fi
92+
echo"ok"
93+
94+
#
95+
# Test.5 - SELinux must be configured to enforcing mode
96+
#
97+
echo -n"test enforcing mode ..."
98+
99+
CURRENT_MODE=`env LANG=C${CMD_SESTATUS}| grep'Current mode:'| awk'{print $3}'`
100+
if ["${CURRENT_MODE}"!="enforcing" ];then
101+
echo"failed"
102+
echo
103+
echo"SELinux must be configured to 'enforcing' mode."
104+
echo"You can switch SELinux to enforcing mode using setenforce command,"
105+
echo"as follows:"
106+
echo
107+
echo"\$ su -"
108+
echo" # setenforce 1"
109+
echo
110+
echo"The system default setting is configured at /etc/selinux/config,"
111+
echo"or kernel bool parameter. Please also check it, if you see this"
112+
echo"message although you didn't switch to permissive mode."
113+
echo
114+
exit 1
115+
fi
116+
echo"ok"
117+
118+
#
119+
# Test.6 - 'sepgsql-regtest' policy module must be loaded
120+
#
121+
echo -n"test sepgsql-regtest policy ..."
122+
123+
SELINUX_MNT=`env LANG=C${CMD_SESTATUS}| grep'^SELinuxfs mount:'| awk'{print $3}'`
124+
if [!-e${SELINUX_MNT}/booleans/sepgsql_regression_test_mode ];then
125+
echo"failed"
126+
echo
127+
echo"The 'sepgsql-regtest' policy module must be installed; that provide"
128+
echo"a set of special rules for this regression test."
129+
echo"You can install this module as follows:"
130+
echo
131+
echo"\$ make -f /usr/share/selinux/devel/Makefile -C contrib/selinux"
132+
echo"\$ su"
133+
echo" # semodule -i contrib/sepgsql/sepgsql-regtest.pp"
134+
echo
135+
echo"Then, you can confirm the policy package being installed, as follows:"
136+
echo
137+
echo" # semodule -l | grep sepgsql"
138+
echo
139+
exit 1
140+
fi
141+
echo"ok"
142+
143+
#
144+
# Test.7 - 'sepgsql_regression_test_mode' must be turned on
145+
#
146+
echo -n"test selinux boolean ..."
147+
148+
if!${CMD_GETSEBOOL} sepgsql_regression_test_mode| grep -q' on$';then
149+
echo"failed"
150+
echo
151+
echo"The boolean variable of 'sepgsql_regression_test_mode' must be"
152+
echo"turned. It affects an internal state of SELinux policy, then"
153+
echo"a set of rules to run regression test will be activated."
154+
echo"You can turn on this variable as follows:"
155+
echo
156+
echo"\$ su -"
157+
echo" # setsebool sepgsql_regression_test_mode 1"
158+
echo
159+
echo"Also note that we recommend to turn off this variable after the"
160+
echo"regression test, because it activates unnecessary rules."
161+
echo
162+
exit 1
163+
fi
164+
echo"ok"
165+
166+
#
167+
# Test.8 - 'psql' command must be labeled as 'bin_t' type
168+
#
169+
echo -n"test label of psql ..."
170+
171+
CMD_PSQL="${PG_BINDIR}/psql"
172+
LABEL_PSQL=`stat -c'%C'${CMD_PSQL}| sed's/:/ /g'| awk'{print $3}'`
173+
if ["${LABEL_PSQL}"!="bin_t" ];then
174+
echo"failed"
175+
echo
176+
echo"The${CMD_PSQL} must be labeled as bin_t type."
177+
echo"You can assign right label using restorecon, as follows:"
178+
echo
179+
echo"\$ su - (not needed, if you owns installation directory)"
180+
echo" # restorecon -R${PG_BINDIR}"
181+
echo
182+
echo"Or, using chcon"
183+
echo
184+
echo" # chcon -t bin_t${CMD_PSQL}"
185+
echo
186+
exit 1
187+
fi
188+
echo"ok"
189+
190+
#
191+
# Test.9 - 'sepgsql' must be installed
192+
# and, not configured to permissive mode
193+
#
194+
echo -n"test sepgsql installation ..."
195+
196+
VAL="`${CMD_PSQL} template1 -tc'SHOW sepgsql.permissive'2>/dev/null`"
197+
RETVAL="$?"
198+
if [$RETVAL-eq 2 ];then
199+
echo"failed"
200+
echo
201+
echo"The postgresql server process is not connectable."
202+
echo"Please check your installation first, rather than selinux settings."
203+
echo
204+
exit 1
205+
elif [$RETVAL-ne 0 ];then
206+
echo"failed"
207+
echo
208+
echo"The sepgsql module was not loaded. So, our recommendation is to"
209+
echo"confirm 'shared_preload_libraries' setting in postgresql.conf,"
210+
echo"then restart server process."
211+
echo"It must have '\$libdir/sepgsql' at least."
212+
echo
213+
exit 1
214+
elif!echo"$VAL"| grep -q'off$';then
215+
echo"failed"
216+
echo
217+
echo"The GUC variable 'sepgsql.permissive' was set to 'on', although"
218+
echo"system configuration is enforcing mode."
219+
echo"You should eliminate this setting from postgresql.conf, then"
220+
echo"restart server process."
221+
echo
222+
exit 1
223+
fi
224+
echo"ok"
225+
226+
#
227+
# Test.10 - 'template1' database must be labeled
228+
#
229+
echo -n"test template1 database ..."
230+
231+
NUM=`${CMD_PSQL} template1 -tc'SELECT count(*) FROM pg_catalog.pg_seclabel'2>/dev/null`
232+
if [-z"${NUM}"-o"$NUM"-eq 0 ];then
233+
echo"failed!"
234+
echo
235+
echo"Initial labels must be assigned on the 'template1' database; that shall"
236+
echo"be copied to the database for regression test."
237+
echo"See Installation section of the PostgreSQL documentation."
238+
echo
239+
exit 1
240+
fi
241+
echo"ok"
242+
243+
#
244+
# check complete -
245+
#
246+
echo
247+
exit 0

‎src/makefiles/pgxs.mk

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -257,15 +257,15 @@ ifndef PGXS
257257
endif
258258

259259
# against installed postmaster
260-
installcheck: submake
260+
installcheck: submake$(REGRESS_PREP)
261261
$(pg_regress_installcheck)$(REGRESS_OPTS)$(REGRESS)
262262

263263
ifdefPGXS
264264
check:
265265
@echo'"$(MAKE) check" is not supported.'
266266
@echo'Do "$(MAKE) install", then "$(MAKE) installcheck" instead.'
267267
else
268-
check: all submake
268+
check: all submake$(REGRESS_PREP)
269269
$(pg_regress_check) --extra-install=$(subdir)$(REGRESS_OPTS)$(REGRESS)
270270
endif
271271
endif# REGRESS

0 commit comments

Comments
 (0)

[8]ページ先頭

©2009-2025 Movatter.jp