2011-07-25 16:51:02 +02:00
|
|
|
#!/bin/sh
|
|
|
|
#
|
|
|
|
# SELinux environment checks to ensure configuration of the operating system
|
|
|
|
# satisfies prerequisites to run regression test.
|
|
|
|
# If incorrect settings are found, this script suggest user a hint.
|
|
|
|
#
|
|
|
|
PG_BINDIR="$1"
|
|
|
|
PG_DATADIR="$2"
|
|
|
|
|
|
|
|
echo
|
|
|
|
echo "============== checking selinux environment =============="
|
2011-08-19 19:09:40 +02:00
|
|
|
|
|
|
|
# matchpathcon must be present to assess whether the installation environment
|
|
|
|
# is OK.
|
|
|
|
echo -n "checking for matchpathcon ... "
|
|
|
|
if ! matchpathcon -n . >/dev/null 2>&1; then
|
|
|
|
echo "not found"
|
|
|
|
echo ""
|
|
|
|
echo "matchpathcon not found; please install it or update your PATH."
|
2011-08-19 17:51:10 +02:00
|
|
|
exit 1
|
|
|
|
fi
|
2011-08-19 19:09:40 +02:00
|
|
|
echo "ok"
|
|
|
|
|
|
|
|
# runcon must be present to launch psql using the correct environment
|
|
|
|
echo -n "checking for runcon ... "
|
|
|
|
if ! runcon --help >/dev/null 2>&1; then
|
2011-08-19 17:51:10 +02:00
|
|
|
echo "failed"
|
2011-08-19 19:09:40 +02:00
|
|
|
echo ""
|
|
|
|
echo "The runcon command must exist and be executable; it is used to"
|
|
|
|
echo "launch psql command with a particular domain. It is typically"
|
|
|
|
echo "included within the coreutils package."
|
|
|
|
echo ""
|
2011-08-19 17:51:10 +02:00
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
echo "ok"
|
2011-07-25 16:51:02 +02:00
|
|
|
|
2011-08-19 19:09:40 +02:00
|
|
|
# check that the user is running in the unconfined_t domain
|
|
|
|
echo -n "checking current user domain ... "
|
2011-07-25 16:51:02 +02:00
|
|
|
DOMAIN=`id -Z 2>/dev/null | sed 's/:/ /g' | awk '{print $3}'`
|
2011-08-19 19:09:40 +02:00
|
|
|
echo ${DOMAIN:-failed}
|
2011-07-25 16:51:02 +02:00
|
|
|
if [ "${DOMAIN}" != "unconfined_t" ]; then
|
2011-08-19 19:09:40 +02:00
|
|
|
echo ""
|
|
|
|
echo "This regression test must be launched from the unconfined_t domain."
|
|
|
|
echo ""
|
|
|
|
echo "The unconfined_t domain is typically the default domain for user"
|
|
|
|
echo "shell processes. If the default has been changed on your system,"
|
|
|
|
echo "you can revert the changes like this:"
|
|
|
|
echo ""
|
2011-07-25 16:51:02 +02:00
|
|
|
echo " \$ su -"
|
|
|
|
echo " # semanage login -d `whoami`"
|
2011-08-19 19:09:40 +02:00
|
|
|
echo ""
|
|
|
|
echo "Or, you can add a setting to log in using the unconfined_t domain:"
|
|
|
|
echo ""
|
2011-07-25 16:51:02 +02:00
|
|
|
echo " \$ su -"
|
|
|
|
echo " # semanage login -a -s unconfined_u -r s0-s0:c0.c255 `whoami`"
|
2011-08-19 19:09:40 +02:00
|
|
|
echo ""
|
2011-07-25 16:51:02 +02:00
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
|
2011-08-19 19:09:40 +02:00
|
|
|
# SELinux must be configured to enforcing mode
|
|
|
|
echo -n "checking selinux operating mode ... "
|
|
|
|
CURRENT_MODE=`env LANG=C sestatus | grep 'Current mode:' | awk '{print $3}'`
|
|
|
|
echo ${CURRENT_MODE:-failed}
|
|
|
|
if [ "${CURRENT_MODE}" != enforcing ]; then
|
|
|
|
if [ "${CURRENT_MODE}" = permissive -o "${CURRENT_MODE}" = disabled ]; then
|
|
|
|
echo ""
|
|
|
|
echo "Before running the regression tests, SELinux must be enabled and"
|
|
|
|
echo "must be running in enforcing mode."
|
|
|
|
echo ""
|
|
|
|
echo "If SELinux is currently running in permissive mode, you can"
|
|
|
|
echo "switch to enforcing command using the 'setenforce' command."
|
|
|
|
echo
|
|
|
|
echo " \$ su -"
|
|
|
|
echo " # setenforce 1"
|
|
|
|
echo ""
|
|
|
|
echo "The system default setting is configured in /etc/selinux/config,"
|
|
|
|
echo "or using a kernel bool parameter."
|
|
|
|
echo ""
|
|
|
|
else
|
|
|
|
echo ""
|
|
|
|
echo "Unable to determine the current selinux operating mode. Please"
|
|
|
|
echo "verify that the sestatus command is installed and in your PATH."
|
|
|
|
echo ""
|
|
|
|
fi
|
2011-07-25 16:51:02 +02:00
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
|
2011-08-19 19:09:40 +02:00
|
|
|
# 'sepgsql-regtest' policy module must be loaded
|
|
|
|
echo -n "checking for sepgsql-regtest policy ... "
|
|
|
|
SELINUX_MNT=`env LANG=C sestatus 2>/dev/null | grep '^SELinuxfs mount:' | awk '{print $3}'`
|
|
|
|
if [ "$SELINUX_MNT" = "" ]; then
|
|
|
|
echo "failed"
|
|
|
|
echo ""
|
|
|
|
echo "Unable to find SELinuxfs mount point."
|
|
|
|
echo ""
|
|
|
|
echo "The sestatus command should report the location where SELinuxfs"
|
|
|
|
echo "is mounted, but did not do so."
|
|
|
|
echo ""
|
|
|
|
exit 1
|
2011-07-25 16:51:02 +02:00
|
|
|
fi
|
|
|
|
if [ ! -e ${SELINUX_MNT}/booleans/sepgsql_regression_test_mode ]; then
|
|
|
|
echo "failed"
|
2011-08-19 19:09:40 +02:00
|
|
|
echo ""
|
|
|
|
echo "The 'sepgsql-regtest' policy module appears not to be installed."
|
|
|
|
echo "Without this policy installed, the regression tests will fail."
|
|
|
|
echo "You can install this module using the following commands:"
|
|
|
|
echo ""
|
2011-07-25 16:51:02 +02:00
|
|
|
echo " \$ make -f /usr/share/selinux/devel/Makefile -C contrib/selinux"
|
|
|
|
echo " \$ su"
|
|
|
|
echo " # semodule -i contrib/sepgsql/sepgsql-regtest.pp"
|
2011-08-19 19:09:40 +02:00
|
|
|
echo ""
|
|
|
|
echo "To confirm that policy package is installed, use this command:"
|
|
|
|
echo ""
|
2011-07-25 16:51:02 +02:00
|
|
|
echo " # semodule -l | grep sepgsql"
|
2011-08-19 19:09:40 +02:00
|
|
|
echo ""
|
2011-07-25 16:51:02 +02:00
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
echo "ok"
|
|
|
|
|
2011-08-19 19:09:40 +02:00
|
|
|
# Verify that sepgsql_regression_test_mode is active.
|
|
|
|
echo -n "checking whether policy is enabled ... "
|
|
|
|
POLICY_STATUS=`getsebool sepgsql_regression_test_mode | awk '{print $3}'`
|
|
|
|
echo ${POLICY_STATUS:-failed}
|
|
|
|
if [ "${POLICY_STATUS}" != "on" ]; then
|
|
|
|
echo ""
|
|
|
|
echo "The SELinux boolean 'sepgsql_regression_test_mode' must be"
|
|
|
|
echo "turned on in order to enable the rules necessary to run the"
|
|
|
|
echo "regression tests."
|
|
|
|
echo ""
|
|
|
|
if "${POLICY_STATUS}" = ""; then
|
|
|
|
echo "We attempted to determine the state of this Boolean using"
|
|
|
|
echo "'getsebool', but that command did not produce the expected"
|
|
|
|
echo "output. Please verify that getsebool is available and in"
|
|
|
|
echo "your PATH."
|
|
|
|
else
|
|
|
|
echo "You can turn on this variable using the following commands:"
|
|
|
|
echo ""
|
|
|
|
echo " \$ su -"
|
|
|
|
echo " # setsebool sepgsql_regression_test_mode 1"
|
|
|
|
echo ""
|
|
|
|
echo "For security reasons, it is suggested that you turn off this"
|
|
|
|
echo "variable when regression testing is complete and the associated"
|
|
|
|
echo "rules are no longer needed."
|
|
|
|
fi
|
|
|
|
echo ""
|
2011-07-25 16:51:02 +02:00
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
|
2011-08-19 19:09:40 +02:00
|
|
|
# 'psql' command must be executable by test domain
|
|
|
|
echo -n "checking whether we can run psql ... "
|
2011-07-25 16:51:02 +02:00
|
|
|
CMD_PSQL="${PG_BINDIR}/psql"
|
2011-08-19 19:09:40 +02:00
|
|
|
runcon -t sepgsql_regtest_user_t ${CMD_PSQL} --help >& /dev/null
|
2011-08-19 17:51:10 +02:00
|
|
|
if [ $? -ne 0 ]; then
|
2011-07-25 16:51:02 +02:00
|
|
|
echo "failed"
|
|
|
|
echo
|
2011-08-19 19:09:40 +02:00
|
|
|
echo "${CMD_PSQL} must be executable from the sepgsql_regtest_user_t"
|
|
|
|
echo "domain. The domain has restricted privileges compared to"
|
|
|
|
echo "unconfined_t, so you should ensure that it is labeled correctly."
|
2011-07-25 16:51:02 +02:00
|
|
|
echo
|
|
|
|
echo " \$ su - (not needed, if you owns installation directory)"
|
2011-08-19 17:51:10 +02:00
|
|
|
EXPECT_PSQL=`matchpathcon -n ${CMD_PSQL} | sed 's/:/ /g' | awk '{print $3}'`
|
|
|
|
if [ "${EXPECT_PSQL}" = "user_home_t" ]; then
|
|
|
|
## Case of installation on /home directory
|
|
|
|
echo " # restorecon -R ${PG_BINDIR}"
|
|
|
|
echo
|
|
|
|
echo "Or, using chcon"
|
|
|
|
echo
|
|
|
|
echo " # chcon -t user_home_t ${CMD_PSQL}"
|
|
|
|
else
|
|
|
|
echo " \$ su - (not needed, if you own the installation directory)"
|
|
|
|
echo " # restorecon -R ${PG_BINDIR}"
|
|
|
|
echo
|
|
|
|
echo "Or, using chcon"
|
|
|
|
echo
|
|
|
|
echo " # chcon -t bin_t ${CMD_PSQL}"
|
|
|
|
fi
|
2011-07-25 16:51:02 +02:00
|
|
|
echo
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
echo "ok"
|
|
|
|
|
2011-08-19 19:09:40 +02:00
|
|
|
# loadable module must be installed and not configured to permissive mode
|
|
|
|
echo -n "checking sepgsql installation ... "
|
2011-07-25 16:51:02 +02:00
|
|
|
VAL="`${CMD_PSQL} template1 -tc 'SHOW sepgsql.permissive' 2>/dev/null`"
|
|
|
|
RETVAL="$?"
|
|
|
|
if [ $RETVAL -eq 2 ]; then
|
|
|
|
echo "failed"
|
2011-08-19 19:09:40 +02:00
|
|
|
echo ""
|
|
|
|
echo "Unable to connect to the server. Please check your installation."
|
|
|
|
echo ""
|
2011-07-25 16:51:02 +02:00
|
|
|
exit 1
|
|
|
|
elif [ $RETVAL -ne 0 ]; then
|
|
|
|
echo "failed"
|
2011-08-19 19:09:40 +02:00
|
|
|
echo ""
|
|
|
|
echo "The 'sepgsql' module does not appear to be loaded. Please verify"
|
|
|
|
echo "that the 'shared_preload_libraries' setting in postgresql.conf"
|
|
|
|
echo "includes sepgsql, and then stop and restart the server."
|
|
|
|
echo ""
|
2011-07-25 16:51:02 +02:00
|
|
|
exit 1
|
|
|
|
elif ! echo "$VAL" | grep -q 'off$'; then
|
|
|
|
echo "failed"
|
2011-08-19 19:09:40 +02:00
|
|
|
echo ""
|
|
|
|
echo "The GUC variable 'sepgsql.permissive' is set to 'on'. It must be"
|
|
|
|
echo "turned off before running the regression tests."
|
|
|
|
echo ""
|
2011-07-25 16:51:02 +02:00
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
echo "ok"
|
|
|
|
|
2011-08-19 19:09:40 +02:00
|
|
|
# template1 database must be labeled
|
|
|
|
echo -n "checking for labels in template1 ... "
|
|
|
|
NUM=`${CMD_PSQL} template1 -Atc 'SELECT count(*) FROM pg_catalog.pg_seclabel' 2>/dev/null`
|
2011-07-25 16:51:02 +02:00
|
|
|
if [ -z "${NUM}" -o "$NUM" -eq 0 ]; then
|
2011-08-19 19:09:40 +02:00
|
|
|
echo "failed"
|
|
|
|
echo ""
|
|
|
|
echo "In order to regression test sepgsql, initial labels must be assigned"
|
|
|
|
echo "on the 'template1' database. These labels will be copied into the"
|
|
|
|
echo "regression test database."
|
|
|
|
echo ""
|
2011-07-25 16:51:02 +02:00
|
|
|
echo "See Installation section of the PostgreSQL documentation."
|
2011-08-19 19:09:40 +02:00
|
|
|
echo ""
|
2011-07-25 16:51:02 +02:00
|
|
|
exit 1
|
|
|
|
fi
|
2011-08-19 19:09:40 +02:00
|
|
|
echo "found ${NUM}"
|
2011-07-25 16:51:02 +02:00
|
|
|
|
|
|
|
#
|
|
|
|
# check complete -
|
|
|
|
#
|
2011-08-19 19:09:40 +02:00
|
|
|
echo ""
|
2011-07-25 16:51:02 +02:00
|
|
|
exit 0
|