464 lines
14 KiB
Plaintext
464 lines
14 KiB
Plaintext
--
|
|
-- Regression Tests for Label Management
|
|
--
|
|
--
|
|
-- Setup
|
|
--
|
|
CREATE TABLE t1 (a int, b text);
|
|
INSERT INTO t1 VALUES (1, 'aaa'), (2, 'bbb'), (3, 'ccc');
|
|
SELECT * INTO t2 FROM t1 WHERE a % 2 = 0;
|
|
CREATE FUNCTION f1 () RETURNS text
|
|
AS 'SELECT sepgsql_getcon()'
|
|
LANGUAGE sql;
|
|
CREATE FUNCTION f2 () RETURNS text
|
|
AS 'SELECT sepgsql_getcon()'
|
|
LANGUAGE sql;
|
|
SECURITY LABEL ON FUNCTION f2()
|
|
IS 'system_u:object_r:sepgsql_trusted_proc_exec_t:s0';
|
|
CREATE FUNCTION f3 () RETURNS text
|
|
AS 'BEGIN
|
|
RAISE EXCEPTION ''an exception from f3()'';
|
|
RETURN NULL;
|
|
END;' LANGUAGE plpgsql;
|
|
SECURITY LABEL ON FUNCTION f3()
|
|
IS 'system_u:object_r:sepgsql_trusted_proc_exec_t:s0';
|
|
CREATE FUNCTION f4 () RETURNS text
|
|
AS 'SELECT sepgsql_getcon()'
|
|
LANGUAGE sql;
|
|
SECURITY LABEL ON FUNCTION f4()
|
|
IS 'system_u:object_r:sepgsql_nosuch_trusted_proc_exec_t:s0';
|
|
CREATE FUNCTION f5 (text) RETURNS bool
|
|
AS 'SELECT sepgsql_setcon($1)'
|
|
LANGUAGE sql;
|
|
SECURITY LABEL ON FUNCTION f5(text)
|
|
IS 'system_u:object_r:sepgsql_regtest_trusted_proc_exec_t:s0';
|
|
CREATE TABLE auth_tbl(uname text, credential text, label text);
|
|
INSERT INTO auth_tbl
|
|
VALUES ('foo', 'acbd18db4cc2f85cedef654fccc4a4d8', 'sepgsql_regtest_foo_t:s0'),
|
|
('var', 'b2145aac704ce76dbe1ac7adac535b23', 'sepgsql_regtest_var_t:s0'),
|
|
('baz', 'b2145aac704ce76dbe1ac7adac535b23', 'sepgsql_regtest_baz_t:s0');
|
|
SECURITY LABEL ON TABLE auth_tbl
|
|
IS 'system_u:object_r:sepgsql_secret_table_t:s0';
|
|
CREATE FUNCTION auth_func(text, text) RETURNS bool
|
|
LANGUAGE sql
|
|
AS 'SELECT sepgsql_setcon(regexp_replace(sepgsql_getcon(), ''_r:.*$'', ''_r:'' || label))
|
|
FROM auth_tbl WHERE uname = $1 AND credential = $2';
|
|
SECURITY LABEL ON FUNCTION auth_func(text,text)
|
|
IS 'system_u:object_r:sepgsql_regtest_trusted_proc_exec_t:s0';
|
|
CREATE TABLE foo_tbl(a int, b text);
|
|
INSERT INTO foo_tbl VALUES (1, 'aaa'), (2,'bbb'), (3,'ccc'), (4,'ddd');
|
|
SECURITY LABEL ON TABLE foo_tbl
|
|
IS 'system_u:object_r:sepgsql_regtest_foo_table_t:s0';
|
|
CREATE TABLE var_tbl(x int, y text);
|
|
INSERT INTO var_tbl VALUES (2,'xxx'), (3,'yyy'), (4,'zzz'), (5,'xyz');
|
|
SECURITY LABEL ON TABLE var_tbl
|
|
IS 'system_u:object_r:sepgsql_regtest_var_table_t:s0';
|
|
--
|
|
-- Tests for default labeling behavior
|
|
--
|
|
SELECT sepgsql_getcon(); -- confirm client privilege
|
|
sepgsql_getcon
|
|
-----------------------------------------------------
|
|
unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0
|
|
(1 row)
|
|
|
|
CREATE TABLE t3 (s int, t text);
|
|
INSERT INTO t3 VALUES (1, 'sss'), (2, 'ttt'), (3, 'uuu');
|
|
SELECT objtype, objname, label FROM pg_seclabels
|
|
WHERE provider = 'selinux'
|
|
AND objtype in ('table', 'column')
|
|
AND objname in ('t1', 't2', 't3');
|
|
objtype | objname | label
|
|
---------+---------+-----------------------------------------------
|
|
table | t1 | unconfined_u:object_r:sepgsql_table_t:s0
|
|
table | t2 | unconfined_u:object_r:sepgsql_table_t:s0
|
|
table | t3 | unconfined_u:object_r:user_sepgsql_table_t:s0
|
|
(3 rows)
|
|
|
|
--
|
|
-- Tests for SECURITY LABEL
|
|
--
|
|
SELECT sepgsql_getcon(); -- confirm client privilege
|
|
sepgsql_getcon
|
|
----------------------------------------------------
|
|
unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0
|
|
(1 row)
|
|
|
|
SECURITY LABEL ON TABLE t1
|
|
IS 'system_u:object_r:sepgsql_ro_table_t:s0'; -- ok
|
|
SECURITY LABEL ON TABLE t2
|
|
IS 'invalid security context'; -- be failed
|
|
ERROR: SELinux: invalid security label: "invalid security context"
|
|
SECURITY LABEL ON COLUMN t2
|
|
IS 'system_u:object_r:sepgsql_ro_table_t:s0'; -- be failed
|
|
ERROR: column name must be qualified
|
|
SECURITY LABEL ON COLUMN t2.b
|
|
IS 'system_u:object_r:sepgsql_ro_table_t:s0'; -- ok
|
|
--
|
|
-- Tests for Trusted Procedures
|
|
--
|
|
SELECT sepgsql_getcon(); -- confirm client privilege
|
|
sepgsql_getcon
|
|
-----------------------------------------------------
|
|
unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0
|
|
(1 row)
|
|
|
|
SELECT f1(); -- normal procedure
|
|
f1
|
|
-----------------------------------------------------
|
|
unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0
|
|
(1 row)
|
|
|
|
SELECT f2(); -- trusted procedure
|
|
f2
|
|
-----------------------------------------------------
|
|
unconfined_u:unconfined_r:sepgsql_trusted_proc_t:s0
|
|
(1 row)
|
|
|
|
SELECT f3(); -- trusted procedure that raises an error
|
|
ERROR: an exception from f3()
|
|
SELECT f4(); -- failed on domain transition
|
|
ERROR: SELinux: security policy violation
|
|
SELECT sepgsql_getcon(); -- client's label must be restored
|
|
sepgsql_getcon
|
|
-----------------------------------------------------
|
|
unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0
|
|
(1 row)
|
|
|
|
--
|
|
-- Test for Dynamic Domain Transition
|
|
--
|
|
-- validation of transaction aware dynamic-transition
|
|
SELECT sepgsql_getcon(); -- confirm client privilege
|
|
sepgsql_getcon
|
|
--------------------------------------------------
|
|
unconfined_u:unconfined_r:unconfined_t:s0:c0.c25
|
|
(1 row)
|
|
|
|
SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c15');
|
|
sepgsql_setcon
|
|
----------------
|
|
t
|
|
(1 row)
|
|
|
|
SELECT sepgsql_getcon();
|
|
sepgsql_getcon
|
|
--------------------------------------------------
|
|
unconfined_u:unconfined_r:unconfined_t:s0:c0.c15
|
|
(1 row)
|
|
|
|
SELECT sepgsql_setcon(NULL); -- failed to reset
|
|
ERROR: SELinux: security policy violation
|
|
SELECT sepgsql_getcon();
|
|
sepgsql_getcon
|
|
--------------------------------------------------
|
|
unconfined_u:unconfined_r:unconfined_t:s0:c0.c15
|
|
(1 row)
|
|
|
|
BEGIN;
|
|
SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c12');
|
|
sepgsql_setcon
|
|
----------------
|
|
t
|
|
(1 row)
|
|
|
|
SELECT sepgsql_getcon();
|
|
sepgsql_getcon
|
|
--------------------------------------------------
|
|
unconfined_u:unconfined_r:unconfined_t:s0:c0.c12
|
|
(1 row)
|
|
|
|
SAVEPOINT svpt_1;
|
|
SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c9');
|
|
sepgsql_setcon
|
|
----------------
|
|
t
|
|
(1 row)
|
|
|
|
SELECT sepgsql_getcon();
|
|
sepgsql_getcon
|
|
-------------------------------------------------
|
|
unconfined_u:unconfined_r:unconfined_t:s0:c0.c9
|
|
(1 row)
|
|
|
|
SAVEPOINT svpt_2;
|
|
SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c6');
|
|
sepgsql_setcon
|
|
----------------
|
|
t
|
|
(1 row)
|
|
|
|
SELECT sepgsql_getcon();
|
|
sepgsql_getcon
|
|
-------------------------------------------------
|
|
unconfined_u:unconfined_r:unconfined_t:s0:c0.c6
|
|
(1 row)
|
|
|
|
SAVEPOINT svpt_3;
|
|
SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c3');
|
|
sepgsql_setcon
|
|
----------------
|
|
t
|
|
(1 row)
|
|
|
|
SELECT sepgsql_getcon();
|
|
sepgsql_getcon
|
|
-------------------------------------------------
|
|
unconfined_u:unconfined_r:unconfined_t:s0:c0.c3
|
|
(1 row)
|
|
|
|
ROLLBACK TO SAVEPOINT svpt_2;
|
|
SELECT sepgsql_getcon(); -- should be 's0:c0.c9'
|
|
sepgsql_getcon
|
|
-------------------------------------------------
|
|
unconfined_u:unconfined_r:unconfined_t:s0:c0.c9
|
|
(1 row)
|
|
|
|
ROLLBACK TO SAVEPOINT svpt_1;
|
|
SELECT sepgsql_getcon(); -- should be 's0:c0.c12'
|
|
sepgsql_getcon
|
|
--------------------------------------------------
|
|
unconfined_u:unconfined_r:unconfined_t:s0:c0.c12
|
|
(1 row)
|
|
|
|
ABORT;
|
|
SELECT sepgsql_getcon(); -- should be 's0:c0.c15'
|
|
sepgsql_getcon
|
|
--------------------------------------------------
|
|
unconfined_u:unconfined_r:unconfined_t:s0:c0.c15
|
|
(1 row)
|
|
|
|
BEGIN;
|
|
SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c8');
|
|
sepgsql_setcon
|
|
----------------
|
|
t
|
|
(1 row)
|
|
|
|
SELECT sepgsql_getcon();
|
|
sepgsql_getcon
|
|
-------------------------------------------------
|
|
unconfined_u:unconfined_r:unconfined_t:s0:c0.c8
|
|
(1 row)
|
|
|
|
SAVEPOINT svpt_1;
|
|
SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c4');
|
|
sepgsql_setcon
|
|
----------------
|
|
t
|
|
(1 row)
|
|
|
|
SELECT sepgsql_getcon();
|
|
sepgsql_getcon
|
|
-------------------------------------------------
|
|
unconfined_u:unconfined_r:unconfined_t:s0:c0.c4
|
|
(1 row)
|
|
|
|
ROLLBACK TO SAVEPOINT svpt_1;
|
|
SELECT sepgsql_getcon(); -- should be 's0:c0.c8'
|
|
sepgsql_getcon
|
|
-------------------------------------------------
|
|
unconfined_u:unconfined_r:unconfined_t:s0:c0.c8
|
|
(1 row)
|
|
|
|
SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c6');
|
|
sepgsql_setcon
|
|
----------------
|
|
t
|
|
(1 row)
|
|
|
|
COMMIT;
|
|
SELECT sepgsql_getcon(); -- should be 's0:c0.c6'
|
|
sepgsql_getcon
|
|
-------------------------------------------------
|
|
unconfined_u:unconfined_r:unconfined_t:s0:c0.c6
|
|
(1 row)
|
|
|
|
-- sepgsql_regtest_user_t is not available dynamic-transition,
|
|
-- unless sepgsql_setcon() is called inside of trusted-procedure
|
|
SELECT sepgsql_getcon(); -- confirm client privilege
|
|
sepgsql_getcon
|
|
------------------------------------------------------------
|
|
unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0:c0.c15
|
|
(1 row)
|
|
|
|
-- sepgsql_regtest_user_t has no permission to switch current label
|
|
SELECT sepgsql_setcon('unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0'); -- failed
|
|
ERROR: SELinux: security policy violation
|
|
SELECT sepgsql_getcon();
|
|
sepgsql_getcon
|
|
------------------------------------------------------------
|
|
unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0:c0.c15
|
|
(1 row)
|
|
|
|
-- trusted procedure allows to switch, but unavailable to override MCS rules
|
|
SELECT f5('unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0:c0.c7'); -- OK
|
|
f5
|
|
----
|
|
t
|
|
(1 row)
|
|
|
|
SELECT sepgsql_getcon();
|
|
sepgsql_getcon
|
|
-----------------------------------------------------------
|
|
unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0:c0.c7
|
|
(1 row)
|
|
|
|
SELECT f5('unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0:c0.c31'); -- Failed
|
|
ERROR: SELinux: security policy violation
|
|
CONTEXT: SQL function "f5" statement 1
|
|
SELECT sepgsql_getcon();
|
|
sepgsql_getcon
|
|
-----------------------------------------------------------
|
|
unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0:c0.c7
|
|
(1 row)
|
|
|
|
SELECT f5(NULL); -- Failed
|
|
ERROR: SELinux: security policy violation
|
|
CONTEXT: SQL function "f5" statement 1
|
|
SELECT sepgsql_getcon();
|
|
sepgsql_getcon
|
|
-----------------------------------------------------------
|
|
unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0:c0.c7
|
|
(1 row)
|
|
|
|
BEGIN;
|
|
SELECT f5('unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0:c0.c3'); -- OK
|
|
f5
|
|
----
|
|
t
|
|
(1 row)
|
|
|
|
SELECT sepgsql_getcon();
|
|
sepgsql_getcon
|
|
-----------------------------------------------------------
|
|
unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0:c0.c3
|
|
(1 row)
|
|
|
|
ABORT;
|
|
SELECT sepgsql_getcon();
|
|
sepgsql_getcon
|
|
-----------------------------------------------------------
|
|
unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0:c0.c7
|
|
(1 row)
|
|
|
|
--
|
|
-- Test for simulation of typical connection pooling server
|
|
--
|
|
SELECT sepgsql_getcon(); -- confirm client privilege
|
|
sepgsql_getcon
|
|
-----------------------------------------------------
|
|
unconfined_u:unconfined_r:sepgsql_regtest_pool_t:s0
|
|
(1 row)
|
|
|
|
-- we shouldn't allow to switch client label without trusted procedure
|
|
SELECT sepgsql_setcon('unconfined_u:unconfined_r:sepgsql_regtest_foo_t:s0');
|
|
ERROR: SELinux: security policy violation
|
|
SELECT * FROM auth_tbl; -- failed, no permission to reference
|
|
ERROR: SELinux: security policy violation
|
|
-- switch to "foo"
|
|
SELECT auth_func('foo', 'acbd18db4cc2f85cedef654fccc4a4d8');
|
|
auth_func
|
|
-----------
|
|
t
|
|
(1 row)
|
|
|
|
SELECT sepgsql_getcon();
|
|
sepgsql_getcon
|
|
----------------------------------------------------
|
|
unconfined_u:unconfined_r:sepgsql_regtest_foo_t:s0
|
|
(1 row)
|
|
|
|
SELECT * FROM foo_tbl; -- OK
|
|
a | b
|
|
---+-----
|
|
1 | aaa
|
|
2 | bbb
|
|
3 | ccc
|
|
4 | ddd
|
|
(4 rows)
|
|
|
|
SELECT * FROM var_tbl; -- failed
|
|
ERROR: SELinux: security policy violation
|
|
SELECT * FROM auth_tbl; -- failed
|
|
ERROR: SELinux: security policy violation
|
|
SELECT sepgsql_setcon(NULL); -- end of session
|
|
sepgsql_setcon
|
|
----------------
|
|
t
|
|
(1 row)
|
|
|
|
SELECT sepgsql_getcon();
|
|
sepgsql_getcon
|
|
-----------------------------------------------------
|
|
unconfined_u:unconfined_r:sepgsql_regtest_pool_t:s0
|
|
(1 row)
|
|
|
|
-- the pooler cannot touch these tables directry
|
|
SELECT * FROM foo_tbl; -- failed
|
|
ERROR: SELinux: security policy violation
|
|
SELECT * FROM var_tbl; -- failed
|
|
ERROR: SELinux: security policy violation
|
|
-- switch to "var"
|
|
SELECT auth_func('var', 'b2145aac704ce76dbe1ac7adac535b23');
|
|
auth_func
|
|
-----------
|
|
t
|
|
(1 row)
|
|
|
|
SELECT sepgsql_getcon();
|
|
sepgsql_getcon
|
|
----------------------------------------------------
|
|
unconfined_u:unconfined_r:sepgsql_regtest_var_t:s0
|
|
(1 row)
|
|
|
|
SELECT * FROM foo_tbl; -- failed
|
|
ERROR: SELinux: security policy violation
|
|
SELECT * FROM var_tbl; -- OK
|
|
x | y
|
|
---+-----
|
|
2 | xxx
|
|
3 | yyy
|
|
4 | zzz
|
|
5 | xyz
|
|
(4 rows)
|
|
|
|
SELECT * FROM auth_tbl; -- failed
|
|
ERROR: SELinux: security policy violation
|
|
SELECT sepgsql_setcon(NULL); -- end of session
|
|
sepgsql_setcon
|
|
----------------
|
|
t
|
|
(1 row)
|
|
|
|
-- misc checks
|
|
SELECT auth_func('var', 'invalid credential'); -- not works
|
|
auth_func
|
|
-----------
|
|
|
|
(1 row)
|
|
|
|
SELECT sepgsql_getcon();
|
|
sepgsql_getcon
|
|
-----------------------------------------------------
|
|
unconfined_u:unconfined_r:sepgsql_regtest_pool_t:s0
|
|
(1 row)
|
|
|
|
--
|
|
-- Clean up
|
|
--
|
|
SELECT sepgsql_getcon(); -- confirm client privilege
|
|
sepgsql_getcon
|
|
------------------------------------------------------
|
|
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255
|
|
(1 row)
|
|
|
|
DROP TABLE IF EXISTS t1 CASCADE;
|
|
DROP TABLE IF EXISTS t2 CASCADE;
|
|
DROP TABLE IF EXISTS t3 CASCADE;
|
|
DROP FUNCTION IF EXISTS f1() CASCADE;
|
|
DROP FUNCTION IF EXISTS f2() CASCADE;
|
|
DROP FUNCTION IF EXISTS f3() CASCADE;
|
|
DROP FUNCTION IF EXISTS f4() CASCADE;
|
|
DROP FUNCTION IF EXISTS f5(text) CASCADE;
|