@@ -9,200 +9,153 @@ PG_DATADIR="$2"
99
1010echo
1111echo " ============== checking selinux environment =============="
12- #
13- # Test.0 - necessary commands for environment checks
14- #
15- echo -n" test installed commands ..."
16- if ! which --help>& /dev/null; then
17- echo " failed"
18- echo
19- echo " 'which' command was not found, executable or installed."
20- echo " Please make sure your PATH, or install this command at first."
21- echo
22- echo " If yum is available on your system, it will suggest packages"
23- echo " to be installed:"
24- echo " # yum provides which"
12+
13+ # matchpathcon must be present to assess whether the installation environment
14+ # is OK.
15+ echo -n" checking for matchpathcon ..."
16+ if ! matchpathcon -n. > /dev/null2>&1 ; then
17+ echo " not found"
18+ echo " "
19+ echo " matchpathcon not found; please install it or update your PATH."
2520exit 1
2621fi
27- if ! matchpathcon -n />& /dev/null; then
22+ echo " ok"
23+
24+ # runcon must be present to launch psql using the correct environment
25+ echo -n" checking for runcon ..."
26+ if ! runcon --help> /dev/null2>&1 ; then
2827echo " failed"
29- echo
30- echo " 'matchpathcon' command was not found, executable or installed."
31- echo " Please make sure your PATH, or install this command at first."
32- echo
33- echo " If yum is available on your system, it will suggest packages"
34- echo " to be installed:"
35- echo " # yum provides which"
28+ echo " "
29+ echo " The runcon command must exist and be executable; it is used to"
30+ echo " launch psql command with a particular domain. It is typically"
31+ echo " included within the coreutils package."
32+ echo " "
3633exit 1
3734fi
3835echo " ok"
3936
40- #
41- # Test.1 - must be launched at unconfined_t domain
42- #
43- echo -n" test unconfined_t domain ..."
44-
37+ # check that the user is running in the unconfined_t domain
38+ echo -n" checking current user domain ..."
4539DOMAIN=` id -Z2> /dev/null| sed' s/:/ /g' | awk' {print $3}' `
40+ echo ${DOMAIN:- failed}
4641if [" ${DOMAIN} " != " unconfined_t" ; then
47- echo " failed"
48- echo
49- echo " This regression test needs to be launched on unconfined_t domain."
50- echo
51- echo " The unconfined_t domain is mostly default domain of users' shell"
52- echo " process. So, we suggest you to revert your special configuration"
53- echo " on your system, as follows:"
54- echo
42+ echo " "
43+ echo " This regression test must be launched from the unconfined_t domain."
44+ echo " "
45+ echo " The unconfined_t domain is typically the default domain for user"
46+ echo " shell processes. If the default has been changed on your system,"
47+ echo " you can revert the changes like this:"
48+ echo " "
5549echo " \$ su -"
5650echo " # semanage login -d` whoami` "
57- echo
58- echo " Or, add a setting tologin as unconfined_t domain"
59- echo
51+ echo " "
52+ echo " Or,you can add a setting tolog in using the unconfined_t domain: "
53+ echo " "
6054echo " \$ su -"
6155echo " # semanage login -a -s unconfined_u -r s0-s0:c0.c255` whoami` "
62- echo
56+ echo " "
6357exit 1
6458fi
65- echo " ok"
66-
67- #
68- # Test.2 - 'runcon' must exist and be executable
69- #
70- echo -n" test runcon command ..."
7159
72- CMD_RUNCON=" ` which runcon2> /dev/null` "
73- if [! -x " ${CMD_RUNCON} " ; then
74- echo " failed"
75- echo
76- echo " The runcon must exist and be executable; it is internally used to"
77- echo " launch psql command with a particular domain. It is mostly included"
78- echo " within coreutils package. So, our suggestion is to install the latest"
79- echo " version of this package."
80- echo
81- exit 1
82- fi
83- echo " ok"
84-
85- #
86- # Test.3 - 'sestatus' must exist and be executable
87- #
88- echo -n" test sestatus command ..."
89-
90- CMD_SESTATUS=" ` which sestatus2> /dev/null` "
91- if [! -x " ${CMD_SESTATUS} " ; then
92- echo " failed"
93- echo
94- echo " The sestatus should exist and be executable; it is internally used to"
95- echo " this checks; to show configuration of SELinux. It is mostly included"
96- echo " within policycoreutils package. So, our suggestion is to install the"
97- echo " latest version of this package."
98- echo
60+ # SELinux must be configured to enforcing mode
61+ echo -n" checking selinux operating mode ..."
62+ CURRENT_MODE=` env LANG=C sestatus| grep' Current mode:' | awk' {print $3}' `
63+ echo ${CURRENT_MODE:- failed}
64+ if [" ${CURRENT_MODE} " != enforcing ]; then
65+ if [" ${CURRENT_MODE} " = permissive-o " ${CURRENT_MODE} " = disabled ]; then
66+ echo " "
67+ echo " Before running the regression tests, SELinux must be enabled and"
68+ echo " must be running in enforcing mode."
69+ echo " "
70+ echo " If SELinux is currently running in permissive mode, you can"
71+ echo " switch to enforcing command using the 'setenforce' command."
72+ echo
73+ echo " \$ su -"
74+ echo " # setenforce 1"
75+ echo " "
76+ echo " The system default setting is configured in /etc/selinux/config,"
77+ echo " or using a kernel bool parameter."
78+ echo " "
79+ else
80+ echo " "
81+ echo " Unable to determine the current selinux operating mode. Please"
82+ echo " verify that the sestatus command is installed and in your PATH."
83+ echo " "
84+ fi
9985exit 1
10086fi
101- echo " ok"
102-
103- #
104- # Test.4 - 'getsebool' must exist and be executable
105- #
106- echo -n" test getsebool command ..."
107-
108- CMD_GETSEBOOL=" ` which getsebool` "
109- if [! -x " ${CMD_GETSEBOOL} " ; then
110- echo " failed"
111- echo
112- echo " The getsebool should exist and be executable; it is internally used to"
113- echo " this checks; to show current setting of SELinux boolean variables."
114- echo " It is mostly included within libselinux-utils package. So, our suggestion"
115- echo " is to install the latest version of this package."
116- echo
117- exit 1
118- fi
119- echo " ok"
120-
121- #
122- # Test.5 - SELinux must be configured to enforcing mode
123- #
124- echo -n" test enforcing mode ..."
12587
126- CURRENT_MODE=` env LANG=C${CMD_SESTATUS} | grep' Current mode:' | awk' {print $3}' `
127- if [" ${CURRENT_MODE} " != " enforcing" ; then
128- echo " failed"
129- echo
130- echo " SELinux must be configured to 'enforcing' mode."
131- echo " You can switch SELinux to enforcing mode using setenforce command,"
132- echo " as follows:"
133- echo
134- echo " \$ su -"
135- echo " # setenforce 1"
136- echo
137- echo " The system default setting is configured at /etc/selinux/config,"
138- echo " or kernel bool parameter. Please also check it, if you see this"
139- echo " message although you didn't switch to permissive mode."
140- echo
141- exit 1
88+ # 'sepgsql-regtest' policy module must be loaded
89+ echo -n" checking for sepgsql-regtest policy ..."
90+ SELINUX_MNT=` env LANG=C sestatus2> /dev/null| grep' ^SELinuxfs mount:' | awk' {print $3}' `
91+ if [" $SELINUX_MNT " = " " ; then
92+ echo " failed"
93+ echo " "
94+ echo " Unable to find SELinuxfs mount point."
95+ echo " "
96+ echo " The sestatus command should report the location where SELinuxfs"
97+ echo " is mounted, but did not do so."
98+ echo " "
99+ exit 1
142100fi
143- echo " ok"
144-
145- #
146- # Test.6 - 'sepgsql-regtest' policy module must be loaded
147- #
148- echo -n" test sepgsql-regtest policy ..."
149-
150- SELINUX_MNT=` env LANG=C${CMD_SESTATUS} | grep' ^SELinuxfs mount:' | awk' {print $3}' `
151101if [! -e ${SELINUX_MNT} /booleans/sepgsql_regression_test_mode ]; then
152102echo " failed"
153- echo
154- echo " The 'sepgsql-regtest' policy modulemust be installed; that provide "
155- echo " a set of special rules for this regression test ."
156- echo " You can install this moduleas follows :"
157- echo
103+ echo " "
104+ echo " The 'sepgsql-regtest' policy moduleappears not to be installed. "
105+ echo " Without this policy installed, the regression tests will fail ."
106+ echo " You can install this moduleusing the following commands :"
107+ echo " "
158108echo " \$ make -f /usr/share/selinux/devel/Makefile -C contrib/selinux"
159109echo " \$ su"
160110echo " # semodule -i contrib/sepgsql/sepgsql-regtest.pp"
161- echo
162- echo " Then, you can confirmthe policy packagebeing installed,as follows :"
163- echo
111+ echo " "
112+ echo " To confirmthat policy packageis installed,use this command :"
113+ echo " "
164114echo " # semodule -l | grep sepgsql"
165- echo
115+ echo " "
166116exit 1
167117fi
168118echo " ok"
169119
170- #
171- # Test.7 - 'sepgsql_regression_test_mode' must be turned on
172- #
173- echo -n" test selinux boolean ..."
174-
175- if ! ${CMD_GETSEBOOL} sepgsql_regression_test_mode| grep -q' on$' ; then
176- echo " failed"
177- echo
178- echo " The boolean variable of 'sepgsql_regression_test_mode' must be"
179- echo " turned. It affects an internal state of SELinux policy, then"
180- echo " a set of rules to run regression test will be activated."
181- echo " You can turn on this variable as follows:"
182- echo
183- echo " \$ su -"
184- echo " # setsebool sepgsql_regression_test_mode 1"
185- echo
186- echo " Also note that we recommend to turn off this variable after the"
187- echo " regression test, because it activates unnecessary rules."
188- echo
120+ # Verify that sepgsql_regression_test_mode is active.
121+ echo -n" checking whether policy is enabled ..."
122+ POLICY_STATUS=` getsebool sepgsql_regression_test_mode| awk' {print $3}' `
123+ echo ${POLICY_STATUS:- failed}
124+ if [" ${POLICY_STATUS} " != " on" ; then
125+ echo " "
126+ echo " The SELinux boolean 'sepgsql_regression_test_mode' must be"
127+ echo " turned on in order to enable the rules necessary to run the"
128+ echo " regression tests."
129+ echo " "
130+ if " ${POLICY_STATUS} " " " ; then
131+ echo " We attempted to determine the state of this Boolean using"
132+ echo " 'getsebool', but that command did not produce the expected"
133+ echo " output. Please verify that getsebool is available and in"
134+ echo " your PATH."
135+ else
136+ echo " You can turn on this variable using the following commands:"
137+ echo " "
138+ echo " \$ su -"
139+ echo " # setsebool sepgsql_regression_test_mode 1"
140+ echo " "
141+ echo " For security reasons, it is suggested that you turn off this"
142+ echo " variable when regression testing is complete and the associated"
143+ echo " rules are no longer needed."
144+ fi
145+ echo " "
189146exit 1
190147fi
191- echo " ok"
192-
193- #
194- # Test.8 - 'psql' command must be executable by test domain
195- #
196- echo -n" test execution of psql ..."
197148
149+ # 'psql' command must be executable by test domain
150+ echo -n" checking whether we can run psql ..."
198151CMD_PSQL=" ${PG_BINDIR} /psql"
199- ${CMD_RUNCON} -t sepgsql_regtest_user_t${CMD_PSQL} --help>& /dev/null
152+ runcon -t sepgsql_regtest_user_t${CMD_PSQL} --help>& /dev/null
200153if [$? -ne 0 ]; then
201154echo " failed"
202155echo
203- echo " The ${CMD_PSQL} must be executableby sepgsql_regtest_user_t"
204- echo " domain.It has restricted privileges compared to unconfined_t, "
205- echo " so you should ensurewhether this command is labeled correctly."
156+ echo " ${CMD_PSQL} must be executablefrom the sepgsql_regtest_user_t"
157+ echo " domain.The domain has restricted privileges compared to"
158+ echo " unconfined_t, so you should ensurethat it is labeled correctly."
206159echo
207160echo " \$ su - (not needed, if you owns installation directory)"
208161 EXPECT_PSQL=` matchpathcon -n${CMD_PSQL} | sed' s/:/ /g' | awk' {print $3}' `
@@ -226,61 +179,52 @@ if [ $? -ne 0 ]; then
226179fi
227180echo " ok"
228181
229- #
230- # Test.9 - 'sepgsql' must be installed
231- # and, not configured to permissive mode
232- #
233- echo -n" test sepgsql installation ..."
234-
182+ # loadable module must be installed and not configured to permissive mode
183+ echo -n" checking sepgsql installation ..."
235184VAL=" ` ${CMD_PSQL} template1 -tc' SHOW sepgsql.permissive' 2> /dev/null` "
236185RETVAL=" $? "
237186if [$RETVAL -eq 2 ]; then
238187echo " failed"
239- echo
240- echo " The postgresql server process is not connectable."
241- echo " Please check your installation first, rather than selinux settings."
242- echo
188+ echo " "
189+ echo " Unable to connect to the server. Please check your installation."
190+ echo " "
243191exit 1
244192elif [$RETVAL -ne 0 ]; then
245193echo " failed"
246- echo
247- echo " The sepgsql module was not loaded. So, our recommendation is to"
248- echo " confirm 'shared_preload_libraries' setting in postgresql.conf,"
249- echo " then restart server process."
250- echo " It must have '\$ libdir/sepgsql' at least."
251- echo
194+ echo " "
195+ echo " The 'sepgsql' module does not appear to be loaded. Please verify"
196+ echo " that the 'shared_preload_libraries' setting in postgresql.conf"
197+ echo " includes sepgsql, and then stop and restart the server."
198+ echo " "
252199exit 1
253200elif ! echo " $VAL " | grep -q' off$' ; then
254201echo " failed"
255- echo
256- echo " The GUC variable 'sepgsql.permissive' was set to 'on', although"
257- echo " system configuration is enforcing mode."
258- echo " You should eliminate this setting from postgresql.conf, then"
259- echo " restart server process."
260- echo
202+ echo " "
203+ echo " The GUC variable 'sepgsql.permissive' is set to 'on'. It must be"
204+ echo " turned off before running the regression tests."
205+ echo " "
261206exit 1
262207fi
263208echo " ok"
264209
265- #
266- # Test.10 - 'template1' database must be labeled
267- #
268- echo -n" test template1 database ..."
269-
270- NUM=` ${CMD_PSQL} template1 -tc' SELECT count(*) FROM pg_catalog.pg_seclabel' 2> /dev/null`
210+ # template1 database must be labeled
211+ echo -n" checking for labels in template1 ..."
212+ NUM=` ${CMD_PSQL} template1 -Atc' SELECT count(*) FROM pg_catalog.pg_seclabel' 2> /dev/null`
271213if [-z " ${NUM} " -o " $NUM " -eq 0 ]; then
272- echo " failed!"
273- echo
274- echo " Initial labels must be assigned on the 'template1' database; that shall"
275- echo " be copied to the database for regression test."
214+ echo " failed"
215+ echo " "
216+ echo " In order to regression test sepgsql, initial labels must be assigned"
217+ echo " on the 'template1' database. These labels will be copied into the"
218+ echo " regression test database."
219+ echo " "
276220echo " See Installation section of the PostgreSQL documentation."
277- echo
221+ echo " "
278222exit 1
279223fi
280- echo " ok "
224+ echo " found ${NUM} "
281225
282226#
283227# check complete -
284228#
285- echo
229+ echo " "
286230exit 0