Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to content

Commit 794e255

Browse files
committed
Fix sepgsql regression tests.
The regression tests for sepgsql were broken by changes in the base distro as-shipped policies. Specifically, definition of unconfined_t in the system default policy was changed to bypass multi-category rules, which the regression test depended on. Fix that by defining a custom privileged domain (sepgsql_regtest_superuser_t) and using it instead of system's unconfined_t domain. The new sepgsql_regtest_superuser_t domain performs almost like the current unconfined_t, but restricted by multi-category policy as the traditional unconfined_t was. The custom policy module is a self defined domain, and so should not be affected by related future system policy changes. However, it still uses the unconfined_u:unconfined_r pair for selinux-user and role. Those definitions have not been changed for several years and seem less risky to rely on than the unconfined_t domain. Additionally, if we define custom user/role, they would need to be manually defined at the operating system level, adding more complexity to an already non-standard and complex regression test. Back-patch to 9.3. The regression tests will need more work before working correctly on 9.2. Starting with 9.2, sepgsql has had dependencies on libselinux versions that are only available on newer distros with the changed set of policies (e.g. RHEL 7.x). On 9.1 sepgsql works fine with the older distros with original policy set (e.g. RHEL 6.x), and on which the existing regression tests work fine. We might want eventually change 9.1 sepgsql regression tests to be more independent from the underlying OS policies, however more work will be needed to make that happen and it is not clear that it is worth the effort. Kohei KaiGai with review by Adam Brightwell and me, commentary by Stephen, Alvaro, Tom, Robert, and others.
1 parent c41a121 commit 794e255

File tree

11 files changed

+449
-378
lines changed

11 files changed

+449
-378
lines changed

contrib/sepgsql/expected/alter.out

+92-92
Large diffs are not rendered by default.

contrib/sepgsql/expected/ddl.out

+212-198
Large diffs are not rendered by default.

contrib/sepgsql/expected/dml.out

+3-3
Original file line numberDiff line numberDiff line change
@@ -192,9 +192,9 @@ LINE 1: SELECT * FROM my_schema_2.ts2;
192192
-- Clean up
193193
--
194194
SELECT sepgsql_getcon(); -- confirm client privilege
195-
sepgsql_getcon
196-
------------------------------------------------------
197-
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255
195+
sepgsql_getcon
196+
---------------------------------------------------------------------
197+
unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255
198198
(1 row)
199199

200200
DROP TABLE IF EXISTS t1 CASCADE;

contrib/sepgsql/expected/label.out

+53-53
Original file line numberDiff line numberDiff line change
@@ -175,148 +175,148 @@ LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_re
175175
--
176176
-- validation of transaction aware dynamic-transition
177177
SELECT sepgsql_getcon(); -- confirm client privilege
178-
sepgsql_getcon
179-
--------------------------------------------------
180-
unconfined_u:unconfined_r:unconfined_t:s0:c0.c25
178+
sepgsql_getcon
179+
-----------------------------------------------------------------
180+
unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0:c0.c25
181181
(1 row)
182182

183-
SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c15');
183+
SELECT sepgsql_setcon('unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0:c0.c15');
184184
sepgsql_setcon
185185
----------------
186186
t
187187
(1 row)
188188

189189
SELECT sepgsql_getcon();
190-
sepgsql_getcon
191-
--------------------------------------------------
192-
unconfined_u:unconfined_r:unconfined_t:s0:c0.c15
190+
sepgsql_getcon
191+
-----------------------------------------------------------------
192+
unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0:c0.c15
193193
(1 row)
194194

195195
SELECT sepgsql_setcon(NULL); -- failed to reset
196196
ERROR: SELinux: security policy violation
197197
SELECT sepgsql_getcon();
198-
sepgsql_getcon
199-
--------------------------------------------------
200-
unconfined_u:unconfined_r:unconfined_t:s0:c0.c15
198+
sepgsql_getcon
199+
-----------------------------------------------------------------
200+
unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0:c0.c15
201201
(1 row)
202202

203203
BEGIN;
204-
SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c12');
204+
SELECT sepgsql_setcon('unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0:c0.c12');
205205
sepgsql_setcon
206206
----------------
207207
t
208208
(1 row)
209209

210210
SELECT sepgsql_getcon();
211-
sepgsql_getcon
212-
--------------------------------------------------
213-
unconfined_u:unconfined_r:unconfined_t:s0:c0.c12
211+
sepgsql_getcon
212+
-----------------------------------------------------------------
213+
unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0:c0.c12
214214
(1 row)
215215

216216
SAVEPOINT svpt_1;
217-
SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c9');
217+
SELECT sepgsql_setcon('unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0:c0.c9');
218218
sepgsql_setcon
219219
----------------
220220
t
221221
(1 row)
222222

223223
SELECT sepgsql_getcon();
224-
sepgsql_getcon
225-
-------------------------------------------------
226-
unconfined_u:unconfined_r:unconfined_t:s0:c0.c9
224+
sepgsql_getcon
225+
----------------------------------------------------------------
226+
unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0:c0.c9
227227
(1 row)
228228

229229
SAVEPOINT svpt_2;
230-
SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c6');
230+
SELECT sepgsql_setcon('unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0:c0.c6');
231231
sepgsql_setcon
232232
----------------
233233
t
234234
(1 row)
235235

236236
SELECT sepgsql_getcon();
237-
sepgsql_getcon
238-
-------------------------------------------------
239-
unconfined_u:unconfined_r:unconfined_t:s0:c0.c6
237+
sepgsql_getcon
238+
----------------------------------------------------------------
239+
unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0:c0.c6
240240
(1 row)
241241

242242
SAVEPOINT svpt_3;
243-
SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c3');
243+
SELECT sepgsql_setcon('unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0:c0.c3');
244244
sepgsql_setcon
245245
----------------
246246
t
247247
(1 row)
248248

249249
SELECT sepgsql_getcon();
250-
sepgsql_getcon
251-
-------------------------------------------------
252-
unconfined_u:unconfined_r:unconfined_t:s0:c0.c3
250+
sepgsql_getcon
251+
----------------------------------------------------------------
252+
unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0:c0.c3
253253
(1 row)
254254

255255
ROLLBACK TO SAVEPOINT svpt_2;
256256
SELECT sepgsql_getcon(); -- should be 's0:c0.c9'
257-
sepgsql_getcon
258-
-------------------------------------------------
259-
unconfined_u:unconfined_r:unconfined_t:s0:c0.c9
257+
sepgsql_getcon
258+
----------------------------------------------------------------
259+
unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0:c0.c9
260260
(1 row)
261261

262262
ROLLBACK TO SAVEPOINT svpt_1;
263263
SELECT sepgsql_getcon(); -- should be 's0:c0.c12'
264-
sepgsql_getcon
265-
--------------------------------------------------
266-
unconfined_u:unconfined_r:unconfined_t:s0:c0.c12
264+
sepgsql_getcon
265+
-----------------------------------------------------------------
266+
unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0:c0.c12
267267
(1 row)
268268

269269
ABORT;
270270
SELECT sepgsql_getcon(); -- should be 's0:c0.c15'
271-
sepgsql_getcon
272-
--------------------------------------------------
273-
unconfined_u:unconfined_r:unconfined_t:s0:c0.c15
271+
sepgsql_getcon
272+
-----------------------------------------------------------------
273+
unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0:c0.c15
274274
(1 row)
275275

276276
BEGIN;
277-
SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c8');
277+
SELECT sepgsql_setcon('unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0:c0.c8');
278278
sepgsql_setcon
279279
----------------
280280
t
281281
(1 row)
282282

283283
SELECT sepgsql_getcon();
284-
sepgsql_getcon
285-
-------------------------------------------------
286-
unconfined_u:unconfined_r:unconfined_t:s0:c0.c8
284+
sepgsql_getcon
285+
----------------------------------------------------------------
286+
unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0:c0.c8
287287
(1 row)
288288

289289
SAVEPOINT svpt_1;
290-
SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c4');
290+
SELECT sepgsql_setcon('unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0:c0.c4');
291291
sepgsql_setcon
292292
----------------
293293
t
294294
(1 row)
295295

296296
SELECT sepgsql_getcon();
297-
sepgsql_getcon
298-
-------------------------------------------------
299-
unconfined_u:unconfined_r:unconfined_t:s0:c0.c4
297+
sepgsql_getcon
298+
----------------------------------------------------------------
299+
unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0:c0.c4
300300
(1 row)
301301

302302
ROLLBACK TO SAVEPOINT svpt_1;
303303
SELECT sepgsql_getcon(); -- should be 's0:c0.c8'
304-
sepgsql_getcon
305-
-------------------------------------------------
306-
unconfined_u:unconfined_r:unconfined_t:s0:c0.c8
304+
sepgsql_getcon
305+
----------------------------------------------------------------
306+
unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0:c0.c8
307307
(1 row)
308308

309-
SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c6');
309+
SELECT sepgsql_setcon('unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0:c0.c6');
310310
sepgsql_setcon
311311
----------------
312312
t
313313
(1 row)
314314

315315
COMMIT;
316316
SELECT sepgsql_getcon(); -- should be 's0:c0.c6'
317-
sepgsql_getcon
318-
-------------------------------------------------
319-
unconfined_u:unconfined_r:unconfined_t:s0:c0.c6
317+
sepgsql_getcon
318+
----------------------------------------------------------------
319+
unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0:c0.c6
320320
(1 row)
321321

322322
-- sepgsql_regtest_user_t is not available dynamic-transition,
@@ -493,9 +493,9 @@ SELECT sepgsql_getcon();
493493
-- Clean up
494494
--
495495
SELECT sepgsql_getcon(); -- confirm client privilege
496-
sepgsql_getcon
497-
------------------------------------------------------
498-
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255
496+
sepgsql_getcon
497+
---------------------------------------------------------------------
498+
unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255
499499
(1 row)
500500

501501
DROP TABLE IF EXISTS t1 CASCADE;

contrib/sepgsql/expected/misc.out

+17-17
Original file line numberDiff line numberDiff line change
@@ -12,11 +12,11 @@ SET sepgsql.debug_audit = on;
1212
SET client_min_messages = log;
1313
-- regular function and operators
1414
SELECT * FROM t1 WHERE x > 50 AND y like '%64%';
15-
LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="public.t1"
16-
LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table t1 column x"
17-
LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table t1 column y"
18-
LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.int4gt(integer,integer)"
19-
LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.textlike(pg_catalog.text,pg_catalog.text)"
15+
LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="public.t1"
16+
LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table t1 column x"
17+
LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table t1 column y"
18+
LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.int4gt(integer,integer)"
19+
LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.textlike(pg_catalog.text,pg_catalog.text)"
2020
x | y
2121
-----+----------------------------------
2222
77 | 28dd2c7955ce926456240b2ff0100bde
@@ -29,25 +29,25 @@ LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:unconfined
2929

3030
-- aggregate function
3131
SELECT MIN(x), AVG(x) FROM t1;
32-
LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="public.t1"
33-
LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table t1 column x"
34-
LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.avg(integer)"
35-
LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.int4_avg_accum(bigint[],integer)"
36-
LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.int8_avg(bigint[])"
37-
LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.min(integer)"
38-
LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.int4smaller(integer,integer)"
32+
LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="public.t1"
33+
LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table t1 column x"
34+
LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.avg(integer)"
35+
LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.int4_avg_accum(bigint[],integer)"
36+
LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.int8_avg(bigint[])"
37+
LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.min(integer)"
38+
LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.int4smaller(integer,integer)"
3939
min | avg
4040
-----+---------------------
4141
1 | 50.5000000000000000
4242
(1 row)
4343

4444
-- window function
4545
SELECT row_number() OVER (order by x), * FROM t1 WHERE y like '%86%';
46-
LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="public.t1"
47-
LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table t1 column x"
48-
LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table t1 column y"
49-
LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.row_number()"
50-
LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.textlike(pg_catalog.text,pg_catalog.text)"
46+
LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="public.t1"
47+
LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table t1 column x"
48+
LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table t1 column y"
49+
LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.row_number()"
50+
LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.textlike(pg_catalog.text,pg_catalog.text)"
5151
row_number | x | y
5252
------------+----+----------------------------------
5353
1 | 2 | c81e728d9d4c2f636f067f89cc14862c

contrib/sepgsql/launcher

+1-1
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,7 @@ fi
2121
# Read SQL from stdin
2222
#
2323
TEMP=`mktemp`
24-
CONTEXT=""
24+
CONTEXT="unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255"
2525

2626
while IFS='\\n' read LINE
2727
do

contrib/sepgsql/sepgsql-regtest.te

+58-1
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
policy_module(sepgsql-regtest, 1.07)
1+
policy_module(sepgsql-regtest, 1.08)
22

33
gen_require(`
44
all_userspace_class_perms
@@ -23,6 +23,35 @@ postgresql_procedure_object(sepgsql_nosuch_trusted_proc_exec_t)
2323
type sepgsql_regtest_invisible_schema_t;
2424
postgresql_schema_object(sepgsql_regtest_invisible_schema_t);
2525

26+
#
27+
# Test domains for self defined unconfined / superuser
28+
#
29+
role sepgsql_regtest_superuser_r;
30+
userdom_base_user_template(sepgsql_regtest_superuser)
31+
userdom_manage_home_role(sepgsql_regtest_superuser_r, sepgsql_regtest_superuser_t)
32+
userdom_exec_user_home_content_files(sepgsql_regtest_superuser_t)
33+
userdom_write_user_tmp_sockets(sepgsql_regtest_superuser_t)
34+
optional_policy(`
35+
postgresql_stream_connect(sepgsql_regtest_superuser_t)
36+
postgresql_unconfined(sepgsql_regtest_superuser_t)
37+
')
38+
optional_policy(`
39+
unconfined_stream_connect(sepgsql_regtest_superuser_t)
40+
unconfined_rw_pipes(sepgsql_regtest_superuser_t)
41+
')
42+
optional_policy(`
43+
gen_require(`
44+
attribute sepgsql_client_type;
45+
')
46+
allow sepgsql_regtest_superuser_t self : process { setcurrent };
47+
allow sepgsql_regtest_superuser_t { self sepgsql_client_type } : process { dyntransition };
48+
')
49+
50+
# Type transition rules
51+
allow sepgsql_regtest_user_t sepgsql_regtest_dba_t : process { transition };
52+
type_transition sepgsql_regtest_user_t sepgsql_regtest_trusted_proc_exec_t:process sepgsql_regtest_dba_t;
53+
type_transition sepgsql_regtest_user_t sepgsql_nosuch_trusted_proc_exec_t:process sepgsql_regtest_nosuch_t;
54+
2655
#
2756
# Test domains for database administrators
2857
#
@@ -156,10 +185,12 @@ optional_policy(`
156185
tunable_policy(`sepgsql_regression_test_mode',`
157186
allow unconfined_t self : process { setcurrent dyntransition };
158187
allow unconfined_t sepgsql_regtest_dba_t : process { transition dyntransition };
188+
allow unconfined_t sepgsql_regtest_superuser_t : process { transition dyntransition };
159189
allow unconfined_t sepgsql_regtest_user_t : process { transition dyntransition };
160190
allow unconfined_t sepgsql_regtest_pool_t : process { transition dyntransition };
161191
')
162192
role unconfined_r types sepgsql_regtest_dba_t;
193+
role unconfined_r types sepgsql_regtest_superuser_t;
163194
role unconfined_r types sepgsql_regtest_user_t;
164195
role unconfined_r types sepgsql_regtest_nosuch_t;
165196
role unconfined_r types sepgsql_trusted_proc_t;
@@ -169,6 +200,32 @@ optional_policy(`
169200
role unconfined_r types sepgsql_regtest_var_t;
170201
')
171202

203+
#
204+
# Rule to make MCS policy work on regression test
205+
#
206+
# NOTE: MCS (multi category security) policy was enabled by default, to
207+
# allow DAC style access control, in the previous selinux policy.
208+
# However, its definition was changed later, then a limited number of
209+
# applications are restricted by MCS policy, for container features
210+
# mainly. The rules below enables MCS policy for domains of regression
211+
# test also, even if base security policy does not apply. If base policy
212+
# is old and MCS is enabled in default, rules below does nothing.
213+
#
214+
optional_policy(`
215+
gen_require(`
216+
type sepgsql_trusted_proc_t;
217+
')
218+
mcs_constrained(sepgsql_regtest_dba_t)
219+
mcs_constrained(sepgsql_regtest_superuser_t)
220+
mcs_constrained(sepgsql_regtest_user_t)
221+
mcs_constrained(sepgsql_regtest_nosuch_t)
222+
mcs_constrained(sepgsql_trusted_proc_t)
223+
224+
mcs_constrained(sepgsql_regtest_pool_t)
225+
mcs_constrained(sepgsql_regtest_foo_t)
226+
mcs_constrained(sepgsql_regtest_var_t)
227+
')
228+
172229
#
173230
# Rule to execute original trusted procedures
174231
#

0 commit comments

Comments
 (0)