Home > mailing lists

Re: contrib/sepgsql fails on Fedora 28 - Mailing list pgsql-hackers

From	Mike Palmiotto
Subject	Re: contrib/sepgsql fails on Fedora 28
Date	May 25, 2018 05:10:23
Msg-id	a6ad52b1-2995-bb3e-cce8-854ec615f8d9@crunchydata.com Whole thread Raw
In response to	contrib/sepgsql fails on Fedora 28 (Tom Lane <tgl@sss.pgh.pa.us>)
Responses	Re: contrib/sepgsql fails on Fedora 28 (Tom Lane <tgl@sss.pgh.pa.us>)
List	pgsql-hackers

Tree view

On 05/24/2018 03:30 PM, Tom Lane wrote:
> I tried to run the regression test for sepgsql on F28 (so I could
> fix the now-obsolete expected-file therein).  It fails at this
> preparatory step:
> 
> $ sudo semodule -u sepgsql-regtest.pp
> The --upgrade option is deprecated. Use --install instead.
> neverallow check failed at /var/lib/selinux/targeted/tmp/modules/100/base/cil:4703
>   (neverallow base_typeattr_6 base_typeattr_7 (process (fork transition sigchld sigkill sigstop signull signal ptrace
getschedsetsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit
rlimitinhdyntransition setcurrent execmem execstack execheap setkeycreate setsockcreate getrlimit)))

>     <root>
>     allow at /var/lib/selinux/targeted/tmp/modules/100/postgresql/cil:769
>       (allow sepgsql_client_type sepgsql_ranged_proc_t (process (transition)))
>     <root>
> ... lots more ...
>     optional at /var/lib/selinux/targeted/tmp/modules/400/sepgsql-regtest/cil:1617
>     optional at /var/lib/selinux/targeted/tmp/modules/400/sepgsql-regtest/cil:1676
>     allow at /var/lib/selinux/targeted/tmp/modules/400/sepgsql-regtest/cil:1679
>       (allow sepgsql_regtest_superuser_t sepgsql_client_type (process (dyntransition)))
> 
> Failed to generate binary
> semodule:  Failed>
> For the moment I'll try an older Fedora release, but it seems
> we have some work to do here.

For a bit of background on the issue, `neverallow` is intended to prevent
policy that would violate certain information flow security models.

This error appears to be due to an update to the userspace install tools,
which do the proper `neverallow` check that was previously not happening. It
appears that at least part of this fix needs to take place in the upstream
policy repo, but in the meantime I've attached a patch that should stop the
build errors.

This has not yet tested been on F27 and earlier. Since the error you were
seeing is a policy-install error and the policy updates are using interfaces
that were available pre-F28, it should not affect the outcome of the build. I
have also not yet run the regression tests with the change, but likewise, this
patch should not affect that.

I will go ahead and test the fix on other platforms and make sure the regtest
is passing, but this should solve the problem for now. Let me know if anything
else catches fire.

Thanks,

-- 
Mike Palmiotto
Software Engineer
Crunchy Data Solutions
https://crunchydata.com

Attachment

0001-Fix-sepgsql-regression-tests-on-fedora28.patch

pgsql-hackers by date:

From: Thomas Munro
Date: 25 May 2018, 04:22:11
Subject: Undo logs

From: Bruce Momjian
Date: 25 May 2018, 06:24:23
Subject: Re: ParseDateTime in src/backend/utils/adt/datetime.c

Re: contrib/sepgsql fails on Fedora 28 - Mailing list pgsql-hackers

Attachment

Previous

Next