postgresql/contrib/sepgsql/expected/label.out

--
-- Regression Tests for Label Management
--
--
-- Setup
--
CREATE TABLE t1 (a int, b text);
INSERT INTO t1 VALUES (1, 'aaa'), (2, 'bbb'), (3, 'ccc');
SELECT * INTO t2 FROM t1 WHERE a % 2 = 0;
CREATE FUNCTION f1 () RETURNS text
    AS 'SELECT sepgsql_getcon()'
    LANGUAGE sql;
CREATE FUNCTION f2 () RETURNS text
    AS 'SELECT sepgsql_getcon()'
    LANGUAGE sql;
SECURITY LABEL ON FUNCTION f2()
    IS 'system_u:object_r:sepgsql_trusted_proc_exec_t:s0';
CREATE FUNCTION f3 () RETURNS text
    AS 'BEGIN
          RAISE EXCEPTION ''an exception from f3()'';
          RETURN NULL;
        END;' LANGUAGE plpgsql;
SECURITY LABEL ON FUNCTION f3()
    IS 'system_u:object_r:sepgsql_trusted_proc_exec_t:s0';
--
-- Tests for default labeling behavior
--
SELECT sepgsql_getcon();	-- confirm client privilege
                   sepgsql_getcon                    
-----------------------------------------------------
 unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0
(1 row)

CREATE TABLE t3 (s int, t text);
INSERT INTO t3 VALUES (1, 'sss'), (2, 'ttt'), (3, 'uuu');
SELECT objtype, objname, label FROM pg_seclabels
    WHERE provider = 'selinux'
     AND  objtype in ('table', 'column')
     AND  objname in ('t1', 't2', 't3');
 objtype | objname |                     label                     
---------+---------+-----------------------------------------------
 table   | t1      | unconfined_u:object_r:sepgsql_table_t:s0
 table   | t2      | unconfined_u:object_r:sepgsql_table_t:s0
 table   | t3      | unconfined_u:object_r:user_sepgsql_table_t:s0
(3 rows)

--
-- Tests for SECURITY LABEL
--
SELECT sepgsql_getcon();	-- confirm client privilege
                   sepgsql_getcon                   
----------------------------------------------------
 unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0
(1 row)

SECURITY LABEL ON TABLE t1
    IS 'system_u:object_r:sepgsql_ro_table_t:s0';	-- ok
SECURITY LABEL ON TABLE t2
    IS 'invalid security context';			-- be failed
ERROR:  SELinux: invalid security label: "invalid security context"
SECURITY LABEL ON COLUMN t2
    IS 'system_u:object_r:sepgsql_ro_table_t:s0';	-- be failed
ERROR:  improper relation name (too many dotted names): 
SECURITY LABEL ON COLUMN t2.b
    IS 'system_u:object_r:sepgsql_ro_table_t:s0';	-- ok
--
-- Tests for Trusted Procedures
--
SELECT sepgsql_getcon();	-- confirm client privilege
                   sepgsql_getcon                    
-----------------------------------------------------
 unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0
(1 row)

SELECT f1();			-- normal procedure
                         f1                          
-----------------------------------------------------
 unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0
(1 row)

SELECT f2();			-- trusted procedure
                         f2                          
-----------------------------------------------------
 unconfined_u:unconfined_r:sepgsql_trusted_proc_t:s0
(1 row)

SELECT f3();			-- trusted procedure that raises an error
ERROR:  an exception from f3()
SELECT sepgsql_getcon();	-- client's label must be restored
                   sepgsql_getcon                    
-----------------------------------------------------
 unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0
(1 row)

--
-- Clean up
--
SELECT sepgsql_getcon();	-- confirm client privilege
                    sepgsql_getcon                    
------------------------------------------------------
 unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255
(1 row)

DROP TABLE IF EXISTS t1 CASCADE;
DROP TABLE IF EXISTS t2 CASCADE;
DROP TABLE IF EXISTS t3 CASCADE;
DROP FUNCTION IF EXISTS f1() CASCADE;
DROP FUNCTION IF EXISTS f2() CASCADE;
DROP FUNCTION IF EXISTS f3() CASCADE;
sepgsql, an SE-Linux integration for PostgreSQL This is still pretty rough - among other things, the documentation needs work, and the messages need a visit from the style police - but this gets the basic framework in place. KaiGai Kohei 2011-01-24 09:44:48 +08:00			`--`
			`-- Regression Tests for Label Management`
			`--`
			`--`
			`-- Setup`
			`--`
			`CREATE TABLE t1 (a int, b text);`
			`INSERT INTO t1 VALUES (1, 'aaa'), (2, 'bbb'), (3, 'ccc');`
			`SELECT * INTO t2 FROM t1 WHERE a % 2 = 0;`
			`CREATE FUNCTION f1 () RETURNS text`
			`AS 'SELECT sepgsql_getcon()'`
			`LANGUAGE sql;`
			`CREATE FUNCTION f2 () RETURNS text`
			`AS 'SELECT sepgsql_getcon()'`
			`LANGUAGE sql;`
			`SECURITY LABEL ON FUNCTION f2()`
			`IS 'system_u:object_r:sepgsql_trusted_proc_exec_t:s0';`
			`CREATE FUNCTION f3 () RETURNS text`
			`AS 'BEGIN`
			`RAISE EXCEPTION ''an exception from f3()'';`
			`RETURN NULL;`
			`END;' LANGUAGE plpgsql;`
			`SECURITY LABEL ON FUNCTION f3()`
			`IS 'system_u:object_r:sepgsql_trusted_proc_exec_t:s0';`
			`--`
			`-- Tests for default labeling behavior`
			`--`
			`SELECT sepgsql_getcon(); -- confirm client privilege`
			`sepgsql_getcon`
			`-----------------------------------------------------`
			`unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0`
			`(1 row)`

			`CREATE TABLE t3 (s int, t text);`
			`INSERT INTO t3 VALUES (1, 'sss'), (2, 'ttt'), (3, 'uuu');`
			`SELECT objtype, objname, label FROM pg_seclabels`
			`WHERE provider = 'selinux'`
			`AND objtype in ('table', 'column')`
			`AND objname in ('t1', 't2', 't3');`
			`objtype \| objname \| label`
			`---------+---------+-----------------------------------------------`
			`table \| t1 \| unconfined_u:object_r:sepgsql_table_t:s0`
			`table \| t2 \| unconfined_u:object_r:sepgsql_table_t:s0`
			`table \| t3 \| unconfined_u:object_r:user_sepgsql_table_t:s0`
			`(3 rows)`

			`--`
			`-- Tests for SECURITY LABEL`
			`--`
			`SELECT sepgsql_getcon(); -- confirm client privilege`
			`sepgsql_getcon`
			`----------------------------------------------------`
			`unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0`
			`(1 row)`

			`SECURITY LABEL ON TABLE t1`
			`IS 'system_u:object_r:sepgsql_ro_table_t:s0'; -- ok`
			`SECURITY LABEL ON TABLE t2`
Various sepgsql corrections. KaiGai Kohei 2011-02-03 12:39:43 +08:00			`IS 'invalid security context'; -- be failed`
			`ERROR: SELinux: invalid security label: "invalid security context"`
sepgsql, an SE-Linux integration for PostgreSQL This is still pretty rough - among other things, the documentation needs work, and the messages need a visit from the style police - but this gets the basic framework in place. KaiGai Kohei 2011-01-24 09:44:48 +08:00			`SECURITY LABEL ON COLUMN t2`
			`IS 'system_u:object_r:sepgsql_ro_table_t:s0'; -- be failed`
			`ERROR: improper relation name (too many dotted names):`
			`SECURITY LABEL ON COLUMN t2.b`
			`IS 'system_u:object_r:sepgsql_ro_table_t:s0'; -- ok`
			`--`
			`-- Tests for Trusted Procedures`
			`--`
			`SELECT sepgsql_getcon(); -- confirm client privilege`
			`sepgsql_getcon`
			`-----------------------------------------------------`
			`unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0`
			`(1 row)`

			`SELECT f1(); -- normal procedure`
			`f1`
			`-----------------------------------------------------`
			`unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0`
			`(1 row)`

			`SELECT f2(); -- trusted procedure`
			`f2`
			`-----------------------------------------------------`
			`unconfined_u:unconfined_r:sepgsql_trusted_proc_t:s0`
			`(1 row)`

			`SELECT f3(); -- trusted procedure that raises an error`
			`ERROR: an exception from f3()`
			`SELECT sepgsql_getcon(); -- client's label must be restored`
			`sepgsql_getcon`
			`-----------------------------------------------------`
			`unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0`
			`(1 row)`

			`--`
			`-- Clean up`
			`--`
			`SELECT sepgsql_getcon(); -- confirm client privilege`
			`sepgsql_getcon`
			`------------------------------------------------------`
			`unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255`
			`(1 row)`

			`DROP TABLE IF EXISTS t1 CASCADE;`
			`DROP TABLE IF EXISTS t2 CASCADE;`
			`DROP TABLE IF EXISTS t3 CASCADE;`
			`DROP FUNCTION IF EXISTS f1() CASCADE;`
			`DROP FUNCTION IF EXISTS f2() CASCADE;`
			`DROP FUNCTION IF EXISTS f3() CASCADE;`