diff --git a/contrib/sepgsql/chkselinuxenv b/contrib/sepgsql/chkselinuxenv index 3ae5a0e617..ad3b92e17e 100755 --- a/contrib/sepgsql/chkselinuxenv +++ b/contrib/sepgsql/chkselinuxenv @@ -9,6 +9,33 @@ PG_DATADIR="$2" echo echo "============== checking selinux environment ==============" +# +# Test.0 - necessary commands for environment checks +# +echo -n "test installed commands ... " +if ! which --help >&/dev/null; then + echo "failed" + echo + echo "'which' command was not found, executable or installed." + echo "Please make sure your PATH, or install this command at first." + echo + echo "If yum is available on your system, it will suggest packages" + echo "to be installed:" + echo " # yum provides which" + exit 1 +fi +if ! matchpathcon -n / >&/dev/null; then + echo "failed" + echo + echo "'matchpathcon' command was not found, executable or installed." + echo "Please make sure your PATH, or install this command at first." + echo + echo "If yum is available on your system, it will suggest packages" + echo "to be installed:" + echo " # yum provides which" + exit 1 +fi +echo "ok" # # Test.1 - must be launched at unconfined_t domain @@ -164,24 +191,36 @@ fi echo "ok" # -# Test.8 - 'psql' command must be labeled as 'bin_t' type +# Test.8 - 'psql' command must be executable by test domain # -echo -n "test label of psql ... " +echo -n "test execution of psql ... " CMD_PSQL="${PG_BINDIR}/psql" -LABEL_PSQL=`stat -c '%C' ${CMD_PSQL} | sed 's/:/ /g' | awk '{print $3}'` -if [ "${LABEL_PSQL}" != "bin_t" ]; then +${CMD_RUNCON} -t sepgsql_regtest_user_t ${CMD_PSQL} --help >& /dev/null +if [ $? -ne 0 ]; then echo "failed" echo - echo "The ${CMD_PSQL} must be labeled as bin_t type." - echo "You can assign right label using restorecon, as follows:" + echo "The ${CMD_PSQL} must be executable by sepgsql_regtest_user_t" + echo "domain. It has restricted privileges compared to unconfined_t," + echo "so you should ensure whether this command is labeled correctly." echo echo " \$ su - (not needed, if you owns installation directory)" - echo " # restorecon -R ${PG_BINDIR}" - echo - echo "Or, using chcon" - echo - echo " # chcon -t bin_t ${CMD_PSQL}" + EXPECT_PSQL=`matchpathcon -n ${CMD_PSQL} | sed 's/:/ /g' | awk '{print $3}'` + if [ "${EXPECT_PSQL}" = "user_home_t" ]; then + ## Case of installation on /home directory + echo " # restorecon -R ${PG_BINDIR}" + echo + echo "Or, using chcon" + echo + echo " # chcon -t user_home_t ${CMD_PSQL}" + else + echo " \$ su - (not needed, if you own the installation directory)" + echo " # restorecon -R ${PG_BINDIR}" + echo + echo "Or, using chcon" + echo + echo " # chcon -t bin_t ${CMD_PSQL}" + fi echo exit 1 fi diff --git a/contrib/sepgsql/sepgsql-regtest.te b/contrib/sepgsql/sepgsql-regtest.te index 3b1def75a5..a8fe2476a4 100644 --- a/contrib/sepgsql/sepgsql-regtest.te +++ b/contrib/sepgsql/sepgsql-regtest.te @@ -1,4 +1,4 @@ -policy_module(sepgsql-regtest, 1.02) +policy_module(sepgsql-regtest, 1.03) gen_require(` all_userspace_class_perms @@ -24,6 +24,7 @@ postgresql_procedure_object(sepgsql_regtest_trusted_proc_exec_t) role sepgsql_regtest_dba_r; userdom_base_user_template(sepgsql_regtest_dba) userdom_manage_home_role(sepgsql_regtest_dba_r, sepgsql_regtest_dba_t) +userdom_exec_user_home_content_files(sepgsql_regtest_dba_t) userdom_write_user_tmp_sockets(sepgsql_regtest_user_t) optional_policy(` postgresql_admin(sepgsql_regtest_dba_t, sepgsql_regtest_dba_r) @@ -40,6 +41,7 @@ optional_policy(` role sepgsql_regtest_user_r; userdom_base_user_template(sepgsql_regtest_user) userdom_manage_home_role(sepgsql_regtest_user_r, sepgsql_regtest_user_t) +userdom_exec_user_home_content_files(sepgsql_regtest_user_t) userdom_write_user_tmp_sockets(sepgsql_regtest_user_t) optional_policy(` postgresql_role(sepgsql_regtest_user_r, sepgsql_regtest_user_t)