2011-01-24 02:44:48 +01:00
|
|
|
#!/bin/sh
|
|
|
|
|
#
|
|
|
|
|
# A wrapper script to launch psql command in regression test
|
|
|
|
|
#
|
2019-01-02 18:44:25 +01:00
|
|
|
# Copyright (c) 2010-2019, PostgreSQL Global Development Group
|
2011-01-24 02:44:48 +01:00
|
|
|
#
|
|
|
|
|
# -------------------------------------------------------------------------
|
|
|
|
|
|
|
|
|
|
if [ $# -lt 1 ]; then
|
|
|
|
|
echo "usage: `basename $0` <command> [options...]"
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
RUNCON=`which runcon`
|
|
|
|
|
if [ ! -e "$RUNCON" ]; then
|
|
|
|
|
echo "runcon command is not found"
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# Read SQL from stdin
|
|
|
|
|
#
|
|
|
|
|
TEMP=`mktemp`
|
Fix sepgsql regression tests.
The regression tests for sepgsql were broken by changes in the
base distro as-shipped policies. Specifically, definition of
unconfined_t in the system default policy was changed to bypass
multi-category rules, which the regression test depended on.
Fix that by defining a custom privileged domain
(sepgsql_regtest_superuser_t) and using it instead of system's
unconfined_t domain. The new sepgsql_regtest_superuser_t domain
performs almost like the current unconfined_t, but restricted by
multi-category policy as the traditional unconfined_t was.
The custom policy module is a self defined domain, and so should not
be affected by related future system policy changes. However, it still
uses the unconfined_u:unconfined_r pair for selinux-user and role.
Those definitions have not been changed for several years and seem
less risky to rely on than the unconfined_t domain. Additionally, if
we define custom user/role, they would need to be manually defined
at the operating system level, adding more complexity to an already
non-standard and complex regression test.
Back-patch to 9.3. The regression tests will need more work before
working correctly on 9.2. Starting with 9.2, sepgsql has had dependencies
on libselinux versions that are only available on newer distros with
the changed set of policies (e.g. RHEL 7.x). On 9.1 sepgsql works
fine with the older distros with original policy set (e.g. RHEL 6.x),
and on which the existing regression tests work fine. We might want
eventually change 9.1 sepgsql regression tests to be more independent
from the underlying OS policies, however more work will be needed to
make that happen and it is not clear that it is worth the effort.
Kohei KaiGai with review by Adam Brightwell and me, commentary by
Stephen, Alvaro, Tom, Robert, and others.
2015-08-30 20:09:05 +02:00
|
|
|
CONTEXT="unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255"
|
2011-01-24 02:44:48 +01:00
|
|
|
|
|
|
|
|
while IFS='\\n' read LINE
|
|
|
|
|
do
|
|
|
|
|
if echo "$LINE" | grep -q "^-- @SECURITY-CONTEXT="; then
|
|
|
|
|
if [ -s "$TEMP" ]; then
|
|
|
|
|
if [ -n "$CONTEXT" ]; then
|
|
|
|
|
"$RUNCON" "$CONTEXT" $* < "$TEMP"
|
|
|
|
|
else
|
|
|
|
|
$* < $TEMP
|
|
|
|
|
fi
|
|
|
|
|
truncate -s0 $TEMP
|
|
|
|
|
fi
|
|
|
|
|
CONTEXT=`echo "$LINE" | sed 's/^-- @SECURITY-CONTEXT=//g'`
|
|
|
|
|
LINE="SELECT sepgsql_getcon(); -- confirm client privilege"
|
|
|
|
|
fi
|
|
|
|
|
echo "$LINE" >> $TEMP
|
|
|
|
|
done
|
|
|
|
|
|
|
|
|
|
if [ -s "$TEMP" ]; then
|
|
|
|
|
if [ -n "$CONTEXT" ]; then
|
|
|
|
|
"$RUNCON" "$CONTEXT" $* < "$TEMP"
|
|
|
|
|
else
|
|
|
|
|
$* < $TEMP
|
|
|
|
|
fi
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
# cleanup temp file
|
|
|
|
|
rm -f $TEMP
|