Skip to content

Commit 5c3d472

Browse files
tglsfdctglsfdc
committed
Fix contrib/sepgsql test policy to work with latest SELinux releases.
As of Fedora 30, it seems that the system-provided macros for setting up user privileges in SELinux policies don't grant the ability to read /etc/passwd, as they formerly did. This restriction breaks psql (which tries to use getpwuid() to obtain the user name it's running under) and thereby the contrib/sepgsql regression test. Add explicit specifications that we need the right to read /etc/passwd. Mike Palmiotto, per a report from me. Back-patch to all supported branches. Discussion: https://postgr.es/m/23856.1563381159@sss.pgh.pa.us
1 parent 183cd8c commit 5c3d472

File tree

1 file changed

+11
-0
lines changed

1 file changed

+11
-0
lines changed

contrib/sepgsql/sepgsql-regtest.te

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,9 @@ userdom_base_user_template(sepgsql_regtest_superuser)
3131
userdom_manage_home_role(sepgsql_regtest_superuser_r, sepgsql_regtest_superuser_t)
3232
userdom_exec_user_home_content_files(sepgsql_regtest_superuser_t)
3333
userdom_write_user_tmp_sockets(sepgsql_regtest_superuser_t)
34+
35+
auth_read_passwd(sepgsql_regtest_superuser_t)
36+
3437
optional_policy(`
3538
postgresql_stream_connect(sepgsql_regtest_superuser_t)
3639
postgresql_unconfined(sepgsql_regtest_superuser_t)
@@ -60,6 +63,9 @@ userdom_base_user_template(sepgsql_regtest_dba)
6063
userdom_manage_home_role(sepgsql_regtest_dba_r, sepgsql_regtest_dba_t)
6164
userdom_exec_user_home_content_files(sepgsql_regtest_dba_t)
6265
userdom_write_user_tmp_sockets(sepgsql_regtest_user_t)
66+
67+
auth_read_passwd(sepgsql_regtest_dba_t)
68+
6369
optional_policy(`
6470
postgresql_admin(sepgsql_regtest_dba_t, sepgsql_regtest_dba_r)
6571
postgresql_stream_connect(sepgsql_regtest_dba_t)
@@ -98,6 +104,9 @@ userdom_base_user_template(sepgsql_regtest_user)
98104
userdom_manage_home_role(sepgsql_regtest_user_r, sepgsql_regtest_user_t)
99105
userdom_exec_user_home_content_files(sepgsql_regtest_user_t)
100106
userdom_write_user_tmp_sockets(sepgsql_regtest_user_t)
107+
108+
auth_read_passwd(sepgsql_regtest_user_t)
109+
101110
optional_policy(`
102111
postgresql_role(sepgsql_regtest_user_r, sepgsql_regtest_user_t)
103112
postgresql_stream_connect(sepgsql_regtest_user_t)
@@ -126,6 +135,8 @@ userdom_manage_home_role(sepgsql_regtest_pool_r, sepgsql_regtest_pool_t)
126135
userdom_exec_user_home_content_files(sepgsql_regtest_pool_t)
127136
userdom_write_user_tmp_sockets(sepgsql_regtest_pool_t)
128137

138+
auth_read_passwd(sepgsql_regtest_pool_t)
139+
129140
type sepgsql_regtest_foo_t;
130141
type sepgsql_regtest_var_t;
131142
type sepgsql_regtest_foo_table_t;

0 commit comments

Comments
 (0)