Re: sepgsql seems rather thoroughly broken on Fedora 30

On Fri, Jul 19, 2019 at 11:19 AM Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>
> I got around to trying this, and lookee here:
>
> $ sudo sesearch -A -s sepgsql_regtest_user_t -t passwd_file_t
> allow domain file_type:blk_file map; [ domain_can_mmap_files ]:True
> allow domain file_type:chr_file map; [ domain_can_mmap_files ]:True
> allow domain file_type:file map; [ domain_can_mmap_files ]:True
> allow domain file_type:lnk_file map; [ domain_can_mmap_files ]:True
>
> Nothing about passwd_file_t. So *something* is different about the
> way the policy is being expanded.

Okay, I was finally able to replicate the issue (and fix it). It looks
like perhaps the userdom_base_user_template changed and no longer
allows reading of passwd_file_t? At any rate, I added some policy to
ensure that we have the proper permissions.

I also beefed up the test script a bit so it now:
- installs the SELinux policy module
- spins up a temporary cluster to muddy postgresql.conf and run the
setup sql in an isolated environment

We probably need to polish this a bit more, but what do you think
about something similar to the attached patches? They should hopefully
reduce some of the complexity of running these regression tests.

--
Mike Palmiotto
Software Engineer
Crunchy Data Solutions
https://crunchydata.com