Re: [v9.1] sepgsql - userspace access vector cache

I fixed up the security policy for regression test, and chkselinuxenv script.

The revised security policy allows test domains to execute programs
being installed under home directories.
In addition, the revised chkselinuxenv newly checks necessary commands
to run this script itself, and changed the way to validate executability of
psql command. (The point of this test is whether the psql is executable
by sepgsql_regtest_user_t, or not. So, bin_t is not a criteria to fail the
script.)

Thanks,

2011/8/18 Kohei Kaigai <Kohei.Kaigai@emea.nec.com>:
>> OK, I'm giving up for now.  I hit two more snags:
>>
>> 1. chkselinuxenv uses "which", and a Fedora 15 minimal install doesn't
>> include that.  I fixed that by installing "which", but maybe we ought
>> to be looking for a way to eliminate that dependency, like testing for
>> the commands you need by running them with --help, or something like
>> that.
>>
> Oops, I thought "which" is a part of coreutils.
>
> I'll try to update chkselinuxenv to print a help message when necessary commands are not installed.
>
>> 2. restorecon doesn't correctly set the permissions for me on
>> ~/project/bin/psql.  I get:
>>
>> [rhaas@f15selinux sepgsql]$ ls -Z ~/project/bin/psql
>> -rwxr-xr-x. rhaas rhaas unconfined_u:object_r:user_home_t:s0
>> /home/rhaas/project/bin/psql
>>
>> Now I can fix that by applying bin_t manually, as suggested in the
>> documentation.  However, that just moves the failure to library load
>> time.  regression.diffs has multiple copies of this error message:
>>
>> /home/rhaas/project/bin/psql: error while loading shared libraries:
>> libpq.so.5: failed to map segment from shared object: Permission
>> denied
>>
> I guess it tries to mmap(2) libpq.so.5 (labeled as user_home_t) with executable mode.
> The regression test switches domain of psql command on its execution from "unconfined_t" to "sepgsql_regtest_user_t",
however,I didn't allow this domain to mmap(2) files in user's home directory with executable mode. 
> It may need to revise the security policy of regression test to support installation onto home directory.
>
> As a quick avoidance, how about --prefix=/usr/local/sepgsql instead?
>
> Thanks,
> --
> NEC Europe Ltd, SAP Global Competence Center
> KaiGai Kohei <kohei.kaigai@emea.nec.com>
>
>
>> -----Original Message-----
>> From: Robert Haas [mailto:robertmhaas@gmail.com]
>> Sent: 18. August 2011 18:22
>> To: Kohei Kaigai
>> Cc: Yeb Havinga; PgHacker; Kohei KaiGai
>> Subject: Re: [HACKERS] [v9.1] sepgsql - userspace access vector cache
>>
>> On Thu, Aug 18, 2011 at 1:00 PM, Robert Haas <robertmhaas@gmail.com> wrote:
>> > [more problems]
>>
>> OK, I'm giving up for now.  I hit two more snags:
>>
>> 1. chkselinuxenv uses "which", and a Fedora 15 minimal install doesn't
>> include that.  I fixed that by installing "which", but maybe we ought
>> to be looking for a way to eliminate that dependency, like testing for
>> the commands you need by running them with --help, or something like
>> that.
>>
>> 2. restorecon doesn't correctly set the permissions for me on
>> ~/project/bin/psql.  I get:
>>
>> [rhaas@f15selinux sepgsql]$ ls -Z ~/project/bin/psql
>> -rwxr-xr-x. rhaas rhaas unconfined_u:object_r:user_home_t:s0
>> /home/rhaas/project/bin/psql
>>
>> Now I can fix that by applying bin_t manually, as suggested in the
>> documentation.  However, that just moves the failure to library load
>> time.  regression.diffs has multiple copies of this error message:
>>
>> /home/rhaas/project/bin/psql: error while loading shared libraries:
>> libpq.so.5: failed to map segment from shared object: Permission
>> denied
>>
>> Help!
>>
>> Thanks,
>>
>> --
>> Robert Haas
>> EnterpriseDB: http://www.enterprisedb.com
>> The Enterprise PostgreSQL Company
>>
>>
>>  Click
>> https://www.mailcontrol.com/sr/g7UEZIfD10rTndxI!oX7Unz1!gA0DCbilsfI53CIRke!PbNpuk4RnjmGfZ8cEe1DM1
>> BV3YJKcc9jEfBJ2k7YZA==  to report this email as spam.
>



--
KaiGai Kohei <kaigai@kaigai.gr.jp>