Thread: contrib/sepgsql fails on Fedora 28

contrib/sepgsql fails on Fedora 28

From
Tom Lane
Date:
I tried to run the regression test for sepgsql on F28 (so I could
fix the now-obsolete expected-file therein).  It fails at this
preparatory step:

$ sudo semodule -u sepgsql-regtest.pp
The --upgrade option is deprecated. Use --install instead.
neverallow check failed at /var/lib/selinux/targeted/tmp/modules/100/base/cil:4703
  (neverallow base_typeattr_6 base_typeattr_7 (process (fork transition sigchld sigkill sigstop signull signal ptrace
getschedsetsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit
rlimitinhdyntransition setcurrent execmem execstack execheap setkeycreate setsockcreate getrlimit))) 
    <root>
    allow at /var/lib/selinux/targeted/tmp/modules/100/postgresql/cil:769
      (allow sepgsql_client_type sepgsql_ranged_proc_t (process (transition)))
    <root>
... lots more ...
    optional at /var/lib/selinux/targeted/tmp/modules/400/sepgsql-regtest/cil:1617
    optional at /var/lib/selinux/targeted/tmp/modules/400/sepgsql-regtest/cil:1676
    allow at /var/lib/selinux/targeted/tmp/modules/400/sepgsql-regtest/cil:1679
      (allow sepgsql_regtest_superuser_t sepgsql_client_type (process (dyntransition)))

Failed to generate binary
semodule:  Failed!

For the moment I'll try an older Fedora release, but it seems
we have some work to do here.

            regards, tom lane


Re: contrib/sepgsql fails on Fedora 28

From
Mike Palmiotto
Date:
On 05/24/2018 03:30 PM, Tom Lane wrote:
> I tried to run the regression test for sepgsql on F28 (so I could
> fix the now-obsolete expected-file therein).  It fails at this
> preparatory step:
> 
> $ sudo semodule -u sepgsql-regtest.pp
> The --upgrade option is deprecated. Use --install instead.
> neverallow check failed at /var/lib/selinux/targeted/tmp/modules/100/base/cil:4703
>   (neverallow base_typeattr_6 base_typeattr_7 (process (fork transition sigchld sigkill sigstop signull signal ptrace
getschedsetsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit
rlimitinhdyntransition setcurrent execmem execstack execheap setkeycreate setsockcreate getrlimit)))
 
>     <root>
>     allow at /var/lib/selinux/targeted/tmp/modules/100/postgresql/cil:769
>       (allow sepgsql_client_type sepgsql_ranged_proc_t (process (transition)))
>     <root>
> ... lots more ...
>     optional at /var/lib/selinux/targeted/tmp/modules/400/sepgsql-regtest/cil:1617
>     optional at /var/lib/selinux/targeted/tmp/modules/400/sepgsql-regtest/cil:1676
>     allow at /var/lib/selinux/targeted/tmp/modules/400/sepgsql-regtest/cil:1679
>       (allow sepgsql_regtest_superuser_t sepgsql_client_type (process (dyntransition)))
> 
> Failed to generate binary
> semodule:  Failed>
> For the moment I'll try an older Fedora release, but it seems
> we have some work to do here.

For a bit of background on the issue, `neverallow` is intended to prevent
policy that would violate certain information flow security models.

This error appears to be due to an update to the userspace install tools,
which do the proper `neverallow` check that was previously not happening. It
appears that at least part of this fix needs to take place in the upstream
policy repo, but in the meantime I've attached a patch that should stop the
build errors.

This has not yet tested been on F27 and earlier. Since the error you were
seeing is a policy-install error and the policy updates are using interfaces
that were available pre-F28, it should not affect the outcome of the build. I
have also not yet run the regression tests with the change, but likewise, this
patch should not affect that.

I will go ahead and test the fix on other platforms and make sure the regtest
is passing, but this should solve the problem for now. Let me know if anything
else catches fire.

Thanks,

-- 
Mike Palmiotto
Software Engineer
Crunchy Data Solutions
https://crunchydata.com

Attachment

Re: contrib/sepgsql fails on Fedora 28

From
Tom Lane
Date:
Mike Palmiotto <mike.palmiotto@crunchydata.com> writes:
> On 05/24/2018 03:30 PM, Tom Lane wrote:
>> I tried to run the regression test for sepgsql on F28 (so I could
>> fix the now-obsolete expected-file therein).  It fails at this
>> preparatory step:
>> $ sudo semodule -u sepgsql-regtest.pp

> This error appears to be due to an update to the userspace install tools,
> which do the proper `neverallow` check that was previously not happening. It
> appears that at least part of this fix needs to take place in the upstream
> policy repo, but in the meantime I've attached a patch that should stop the
> build errors.

I don't have any immediate need for this fix personally, since sepgsql
still works on F26.  The buildfarm is not testing the case either.
So rather than push a band-aid fix that might have a short shelf-life,
I'm inclined to wait till the upstream changes land, then see if we
need to do anything.

            regards, tom lane