contrib/sepgsql/test_sepgsql

   1 #!/bin/sh
   2 #
   3 # Run the sepgsql regression tests, after making a lot of environmental checks
   4 # to try to ensure that the SELinux environment is set up appropriately and
   5 # the database is configured correctly.
   6 #
   7 # Note that this must be run against an installed Postgres database.
   8 # There's no equivalent of "make check", and that wouldn't be terribly useful
   9 # since much of the value is in checking that you installed sepgsql into
  10 # your database correctly.
  11 #
  12 # This must be run in the contrib/sepgsql directory of a Postgres build tree.
  13 #
  14
  15 PG_BINDIR=`pg_config --bindir`
  16
  17 # we must move to contrib/sepgsql directory to run pg_regress correctly
  18 cd `dirname $0`
  19
  20 echo
  21 echo "============== checking selinux environment           =============="
  22
  23 # matchpathcon must be present to assess whether the installation environment
  24 # is OK.
  25 echo -n "checking for matchpathcon           ... "
  26 if ! matchpathcon -n . >/dev/null 2>&1; then
  27     echo "not found"
  28     echo ""
  29     echo "The matchpathcon command must be available."
  30     echo "Please install it or update your PATH to include it"
  31     echo "(it is typically in '/usr/sbin', which might not be in your PATH)."
  32     echo "matchpathcon is typically included in the libselinux-utils package."
  33     exit 1
  34 fi
  35 echo "ok"
  36
  37 # runcon must be present to launch psql using the correct environment
  38 echo -n "checking for runcon                 ... "
  39 if ! runcon --help >/dev/null 2>&1; then
  40     echo "not found"
  41     echo ""
  42     echo "The runcon command must be available."
  43     echo "runcon is typically included in the coreutils package."
  44     echo ""
  45     exit 1
  46 fi
  47 echo "ok"
  48
  49 # check sestatus too, since that lives in yet another package
  50 echo -n "checking for sestatus               ... "
  51 if ! sestatus >/dev/null 2>&1; then
  52     echo "not found"
  53     echo ""
  54     echo "The sestatus command must be available."
  55     echo "sestatus is typically included in the policycoreutils package."
  56     echo ""
  57     exit 1
  58 fi
  59 echo "ok"
  60
  61 # check that the user is running in the unconfined_t domain
  62 echo -n "checking current user domain        ... "
  63 DOMAIN=`id -Z 2>/dev/null | sed 's/:/ /g' | awk '{print $3}'`
  64 echo ${DOMAIN:-failed}
  65 if [ "${DOMAIN}" != unconfined_t ]; then
  66     echo ""
  67     echo "The regression tests must be launched from the unconfined_t domain."
  68     echo ""
  69     echo "The unconfined_t domain is typically the default domain for user"
  70     echo "shell processes.  If the default has been changed on your system,"
  71     echo "you can revert the changes like this:"
  72     echo ""
  73     echo "  \$ sudo semanage login -d `whoami`"
  74     echo ""
  75     echo "Or, you can add a setting to log in using the unconfined_t domain:"
  76     echo ""
  77     echo "  \$ sudo semanage login -a -s unconfined_u -r s0-s0:c0.c255 `whoami`"
  78     echo ""
  79     exit 1
  80 fi
  81
  82 # SELinux must be configured in enforcing mode
  83 echo -n "checking selinux operating mode     ... "
  84 CURRENT_MODE=`LANG=C sestatus | grep '^Current mode:' | awk '{print $3}'`
  85 echo ${CURRENT_MODE:-failed}
  86 if [ "${CURRENT_MODE}" = enforcing ]; then
  87     : OK
  88 elif [ "${CURRENT_MODE}" = permissive -o "${CURRENT_MODE}" = disabled ]; then
  89     echo ""
  90     echo "Before running the regression tests, SELinux must be enabled and"
  91     echo "must be running in enforcing mode."
  92     echo ""
  93     echo "If SELinux is currently running in permissive mode, you can"
  94     echo "switch to enforcing mode using the 'setenforce' command."
  95     echo
  96     echo "  \$ sudo setenforce 1"
  97     echo ""
  98     echo "The system default setting is configured in /etc/selinux/config,"
  99     echo "or using a kernel boot parameter."
 100     echo ""
 101     exit 1
 102 else
 103     echo ""
 104     echo "Unable to determine the current selinux operating mode.  Please"
 105     echo "verify that the sestatus command is installed and in your PATH."
 106     echo ""
 107     exit 1
 108 fi
 109
 110 # 'sepgsql-regtest' policy module must be loaded
 111 echo -n "checking for sepgsql-regtest policy ... "
 112 SELINUX_MNT=`LANG=C sestatus | grep '^SELinuxfs mount:' | awk '{print $3}'`
 113 if [ "$SELINUX_MNT" = "" ]; then
 114     echo "failed"
 115     echo ""
 116     echo "Unable to find SELinuxfs mount point."
 117     echo ""
 118     echo "The sestatus command should report the location where SELinuxfs"
 119     echo "is mounted, but did not do so."
 120     echo ""
 121     exit 1
 122 fi
 123 if [ ! -e "${SELINUX_MNT}/booleans/sepgsql_regression_test_mode" ]; then
 124     echo "failed"
 125     echo ""
 126     echo "The 'sepgsql-regtest' policy module appears not to be installed."
 127     echo "Without this policy installed, the regression tests will fail."
 128     echo "You can install this module using the following commands:"
 129     echo ""
 130     echo "  \$ make -f /usr/share/selinux/devel/Makefile"
 131     echo "  \$ sudo semodule -u sepgsql-regtest.pp"
 132     echo ""
 133     echo "To confirm that the policy package is installed, use this command:"
 134     echo ""
 135     echo "  \$ sudo semodule -l | grep sepgsql"
 136     echo ""
 137     exit 1
 138 fi
 139 echo "ok"
 140
 141 # Verify that sepgsql_regression_test_mode is active.
 142 echo -n "checking whether policy is enabled  ... "
 143 POLICY_STATUS=`getsebool sepgsql_regression_test_mode | awk '{print $3}'`
 144 echo ${POLICY_STATUS:-failed}
 145 if [ "${POLICY_STATUS}" != on ]; then
 146     echo ""
 147     echo "The SELinux boolean 'sepgsql_regression_test_mode' must be"
 148     echo "turned on in order to enable the rules necessary to run the"
 149     echo "regression tests."
 150     echo ""
 151     if [ "${POLICY_STATUS}" = "" ]; then
 152         echo "We attempted to determine the state of this Boolean using"
 153         echo "'getsebool', but that command did not produce the expected"
 154         echo "output.  Please verify that getsebool is available and in"
 155         echo "your PATH."
 156     else
 157         echo "You can turn on this variable using the following commands:"
 158         echo ""
 159         echo "  \$ sudo setsebool sepgsql_regression_test_mode on"
 160         echo ""
 161         echo "For security reasons, it is suggested that you turn off this"
 162         echo "variable when regression testing is complete and the associated"
 163         echo "rules are no longer needed."
 164     fi
 165     echo ""
 166     exit 1
 167 fi
 168 POLICY_STATUS=`getsebool sepgsql_enable_users_ddl | awk '{print $3}'`
 169 echo ${POLICY_STATUS:-failed}
 170 if [ "${POLICY_STATUS}" != on ]; then
 171     echo ""
 172     echo "The SELinux boolean 'sepgsql_enable_users_ddl' must be"
 173     echo "turned on in order to enable the rules necessary to run"
 174     echo "the regression tests."
 175     echo ""
 176     if [ "${POLICY_STATUS}" = "" ]; then
 177         echo "We attempted to determine the state of this Boolean using"
 178         echo "'getsebool', but that command did not produce the expected"
 179         echo "output.  Please verify that getsebool is available and in"
 180         echo "your PATH."
 181     else
 182         echo "You can turn on this variable using the following commands:"
 183         echo ""
 184         echo "  \$ sudo setsebool sepgsql_enable_users_ddl on"
 185         echo ""
 186         echo "For security reasons, it is suggested that you turn off this"
 187         echo "variable when regression testing is complete, unless you"
 188         echo "don't want to allow unprivileged users DDL commands."
 189     fi
 190     echo ""
 191     exit 1
 192 fi
 193
 194 # 'psql' command must be executable from test domain
 195 echo -n "checking whether we can run psql    ... "
 196 CMD_PSQL="${PG_BINDIR}/psql"
 197 if [ ! -e "${CMD_PSQL}" ]; then
 198     echo "not found"
 199     echo
 200     echo "${CMD_PSQL} was not found."
 201     echo "Check your PostgreSQL installation."
 202     echo
 203     exit 1
 204 fi
 205 runcon -t sepgsql_regtest_user_t "${CMD_PSQL}" --help >& /dev/null
 206 if [ $? -ne 0 ]; then
 207     echo "failed"
 208     echo
 209     echo "${CMD_PSQL} must be executable from the"
 210     echo "sepgsql_regtest_user_t domain. That domain has restricted privileges"
 211     echo "compared to unconfined_t, so the problem may be the psql file's"
 212     echo "SELinux label. Try"
 213     echo
 214     PSQL_T=`matchpathcon -n "${CMD_PSQL}" | sed 's/:/ /g' | awk '{print $3}'`
 215     if [ "${PSQL_T}" = "user_home_t" ]; then
 216         # Installation appears to be in /home directory
 217         echo "  \$ sudo restorecon -R ${PG_BINDIR}"
 218         echo
 219         echo "Or, using chcon"
 220         echo
 221         echo "  \$ sudo chcon -t user_home_t ${CMD_PSQL}"
 222     else
 223         echo "  \$ sudo restorecon -R ${PG_BINDIR}"
 224         echo
 225         echo "Or, using chcon"
 226         echo
 227         echo "  \$ sudo chcon -t bin_t ${CMD_PSQL}"
 228     fi
 229     echo
 230     exit 1
 231 fi
 232 echo "ok"
 233
 234 # loadable module must be installed and not configured to permissive mode
 235 echo -n "checking sepgsql installation       ... "
 236 VAL="`${CMD_PSQL} -X -t -c 'SHOW sepgsql.permissive' template1 2>/dev/null`"
 237 RETVAL="$?"
 238 if [ $RETVAL -eq 2 ]; then
 239     echo "failed"
 240     echo ""
 241     echo "Could not connect to the database server."
 242     echo "Please check your PostgreSQL installation."
 243     echo ""
 244     exit 1
 245 elif [ $RETVAL -ne 0 ]; then
 246     echo "failed"
 247     echo ""
 248     echo "The sepgsql module does not appear to be loaded.  Please verify"
 249     echo "that the 'shared_preload_libraries' setting in postgresql.conf"
 250     echo "includes 'sepgsql', and then restart the server."
 251     echo ""
 252     echo "See Installation section of the contrib/sepgsql documentation."
 253     echo ""
 254     exit 1
 255 elif ! echo "$VAL" | grep -q 'off$'; then
 256     echo "failed"
 257     echo ""
 258     echo "The parameter 'sepgsql.permissive' is set to 'on'.  It must be"
 259     echo "turned off before running the regression tests."
 260     echo ""
 261     exit 1
 262 fi
 263 echo "ok"
 264
 265 # template1 database must be labeled
 266 # NOTE: this test is wrong; we really ought to be checking template0.
 267 # But we can't connect to that without extra pushups, and it's not worth it.
 268 echo -n "checking for labels in template1    ... "
 269 NUM=`${CMD_PSQL} -XAt -c 'SELECT count(*) FROM pg_catalog.pg_seclabel' template1 2>/dev/null`
 270 if [ -z "${NUM}" ]; then
 271     echo "failed"
 272     echo ""
 273     echo "In order to test sepgsql, initial labels must be assigned within"
 274     echo "the 'template1' database.  These labels will be copied into the"
 275     echo "regression test database."
 276     echo ""
 277     echo "See Installation section of the contrib/sepgsql documentation."
 278     echo ""
 279     exit 1
 280 fi
 281 echo "found ${NUM}"
 282
 283 #
 284 # checking complete - let's run the tests
 285 #
 286
 287 echo
 288 echo "============== running sepgsql regression tests       =============="
 289
 290 tests="label dml ddl alter misc"
 291
 292 # Check if the truncate permission exists in the loaded policy, and if so,
 293 # run the truncate test
 294 #
 295 # Testing the TRUNCATE regression test can be done by manually adding
 296 # the permission with CIL if necessary:
 297 #     sudo semodule -cE base
 298 #     sudo sed -i -E 's/(class db_table.*?) \)/\1 truncate\)/' base.cil
 299 #     sudo semodule -i base.cil
 300
 301 if [ -f /sys/fs/selinux/class/db_table/perms/truncate ]; then
 302         tests+=" truncate"
 303 fi
 304
 305 make REGRESS="$tests" REGRESS_OPTS="--launcher ./launcher" installcheck
 306 # exit with the exit code provided by "make"