Re: sepgsql: label regression test failed
| От | Sergey Muraviov |
|---|---|
| Тема | Re: sepgsql: label regression test failed |
| Дата | |
| Msg-id | CAJTaR30cACCet=FPzngKaERN_LcPd64k_2cU_30XExV4m-3gBA@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: sepgsql: label regression test failed (Kohei KaiGai <kaigai@kaigai.gr.jp>) |
| Ответы |
Re: sepgsql: label regression test failed
Re: sepgsql: label regression test failed |
| Список | pgsql-hackers |
Hi.
Some regression tests for sepgsql still not work on Fedora 20:
============== running regression test queries ==============
test label ... FAILED
test dml ... ok
test ddl ... FAILED
test alter ... FAILED
test misc ... ok
======================
3 of 5 tests failed.
======================
$ sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 29
$ uname -i -o -r
3.14.3-200.fc20.x86_64 x86_64 GNU/Linux
$ /usr/local/pgsql/bin/postgres --version
postgres (PostgreSQL) 9.4beta1
PS
I've got this compiler warning:
relation.c: In function ‘sepgsql_relation_drop’:
relation.c:472:25: warning: ‘tclass’ may be used uninitialized in this function [-Wmaybe-uninitialized]
sepgsql_avc_check_perms(&object,
^
2013-12-25 0:34 GMT+04:00 Kohei KaiGai <kaigai@kaigai.gr.jp>:
Hello,
It seems to me changes in the base security policy on Fedora affected to
the regression test. Our test cases for sepgsql_setcon() utilizes the MCS
rules, that prevents domain transition from narrow categories to wider ones,
to control the success cases and failure cases.
However, its coverage was changed. It was applied all the domains in the
system, thus "unconfined_t" domain had been enforced by MCS rules.
But now, it shall be applied only domains with "mcs_constrained_type"
attribute.
[kaigai@vmlinux tmp]$ diff -up old/policy/mcs new/policy/mcs
:
<snip>
:
mlsconstrain process { transition dyntransition }
- (( h1 dom h2 ) or ( t1 == mcssetcats ));
+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
Probably, we need to define a domain by ourselves for regression test to ensure
the test stability, not using the system "unconfined" domain that has different
meaning by release.
I'll make a patch. Please wait for a while.
Thanks for your test & reports.
2013/12/18 Sergey Muraviov <sergey.k.muraviov@gmail.com>:--> # semodule -l | grep sepgslq
> sepgsql-regtest 1.07
>
> Full list of modules is in attachment.
>
>
> 2013/12/18 Kohei KaiGai <kaigai@kaigai.gr.jp>
>>
>> Could you show me semodule -l on your environment?
>> I believe security policy has not been changed between F19 and F20...
>>
>> Thanks,
>>
>> 2013/12/18 Sergey Muraviov <sergey.k.muraviov@gmail.com>:
>> > Hi
>> >
>> > I've tried to test postgres 9.3.2 and 9.4devel with selinux on Fedora 20
>> > and
>> > met with a label regression test failure.
>> >
>> > PS
>> > I've got some warning during build process.
>> >
>> > --
>> > Best regards,
>> > Sergey Muraviov
>> >
>> >
>> > --
>> > Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
>> > To make changes to your subscription:
>> > http://www.postgresql.org/mailpref/pgsql-hackers
>> >
>>
>>
>>
>> --
>> KaiGai Kohei <kaigai@kaigai.gr.jp>
>
>
>
>
> --
> Best regards,
> Sergey Muraviov
KaiGai Kohei <kaigai@kaigai.gr.jp>
Best regards,
Sergey MuraviovВложения
В списке pgsql-hackers по дате отправления: