| From: | Joe Conway <mail(at)joeconway(dot)com> |
|---|---|
| To: | pgsql-committers(at)postgresql(dot)org |
| Subject: | pgsql: Fix sepgsql regression tests (9.2-only patch). |
| Date: | 2015-09-22 21:59:24 |
| Message-ID: | E1ZeVau-0008Qk-H1@gemulon.postgresql.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-committers |
Fix sepgsql regression tests (9.2-only patch).
The regression tests for sepgsql were broken by changes in the
base distro as-shipped policies. Specifically, definition of
unconfined_t in the system default policy was changed to bypass
multi-category rules, which the regression test depended on.
Fix that by defining a custom privileged domain
(sepgsql_regtest_superuser_t) and using it instead of system's
unconfined_t domain. The new sepgsql_regtest_superuser_t domain
performs almost like the current unconfined_t, but restricted by
multi-category policy as the traditional unconfined_t was.
The custom policy module is a self defined domain, and so should not
be affected by related future system policy changes. However, it still
uses the unconfined_u:unconfined_r pair for selinux-user and role.
Those definitions have not been changed for several years and seem
less risky to rely on than the unconfined_t domain. Additionally, if
we define custom user/role, they would need to be manually defined
at the operating system level, adding more complexity to an already
non-standard and complex regression test.
Applies only to 9.2. Unlike the previous similar patch, commit 794e2558b,
this also fixes a bug related to processing SELECT INTO statement.
Because v9.2 didn't have ObjectAccessPostCreate to inform the context
when a relation is newly created, sepgsql had an alternative method.
However, related code in sepgsql_object_access() neglected to consider
T_CreateTableAsStmt, thus no label was assigned on the new relation.
This logic was removed and replaced starting in 9.3.
Patch by Kohei KaiGai.
Branch
------
REL9_2_STABLE
Details
-------
http://git.postgresql.org/pg/commitdiff/e90a629e126b9459b1f1d8ee8aa8c8598dc36b16
Modified Files
--------------
contrib/sepgsql/expected/ddl.out | 208 ++++++++++++++++++------------------
contrib/sepgsql/expected/dml.out | 6 +-
contrib/sepgsql/expected/label.out | 106 +++++++++---------
contrib/sepgsql/hooks.c | 1 +
contrib/sepgsql/launcher | 2 +-
contrib/sepgsql/sepgsql-regtest.te | 98 ++++++++++++++---
contrib/sepgsql/sql/ddl.sql | 2 +-
contrib/sepgsql/sql/dml.sql | 2 +-
contrib/sepgsql/sql/label.sql | 20 ++--
9 files changed, 255 insertions(+), 190 deletions(-)
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert Haas | 2015-09-23 01:43:10 | pgsql: Teach planstate_tree_walker about custom scans. |
| Previous Message | Gavin Flower | 2015-09-22 20:43:51 | Re: [COMMITTERS] pgsql: Use gender-neutral language in documentation |