mirror of
https://git.postgresql.org/git/postgresql.git
synced 2025-01-24 18:55:04 +08:00
794e2558be
The regression tests for sepgsql were broken by changes in the base distro as-shipped policies. Specifically, definition of unconfined_t in the system default policy was changed to bypass multi-category rules, which the regression test depended on. Fix that by defining a custom privileged domain (sepgsql_regtest_superuser_t) and using it instead of system's unconfined_t domain. The new sepgsql_regtest_superuser_t domain performs almost like the current unconfined_t, but restricted by multi-category policy as the traditional unconfined_t was. The custom policy module is a self defined domain, and so should not be affected by related future system policy changes. However, it still uses the unconfined_u:unconfined_r pair for selinux-user and role. Those definitions have not been changed for several years and seem less risky to rely on than the unconfined_t domain. Additionally, if we define custom user/role, they would need to be manually defined at the operating system level, adding more complexity to an already non-standard and complex regression test. Back-patch to 9.3. The regression tests will need more work before working correctly on 9.2. Starting with 9.2, sepgsql has had dependencies on libselinux versions that are only available on newer distros with the changed set of policies (e.g. RHEL 7.x). On 9.1 sepgsql works fine with the older distros with original policy set (e.g. RHEL 6.x), and on which the existing regression tests work fine. We might want eventually change 9.1 sepgsql regression tests to be more independent from the underlying OS policies, however more work will be needed to make that happen and it is not clear that it is worth the effort. Kohei KaiGai with review by Adam Brightwell and me, commentary by Stephen, Alvaro, Tom, Robert, and others.
137 lines
5.2 KiB
PL/PgSQL
137 lines
5.2 KiB
PL/PgSQL
--
|
|
-- Test for various ALTER statements
|
|
--
|
|
|
|
-- clean-up in case a prior regression run failed
|
|
SET client_min_messages TO 'warning';
|
|
DROP DATABASE IF EXISTS regtest_sepgsql_test_database_1;
|
|
DROP DATABASE IF EXISTS regtest_sepgsql_test_database;
|
|
DROP USER IF EXISTS regtest_sepgsql_test_user;
|
|
RESET client_min_messages;
|
|
|
|
-- @SECURITY-CONTEXT=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0
|
|
|
|
--
|
|
-- CREATE Objects to be altered (with debug_audit being silent)
|
|
--
|
|
CREATE DATABASE regtest_sepgsql_test_database_1;
|
|
|
|
CREATE USER regtest_sepgsql_test_user;
|
|
|
|
CREATE SCHEMA regtest_schema_1;
|
|
CREATE SCHEMA regtest_schema_2;
|
|
|
|
GRANT ALL ON SCHEMA regtest_schema_1 TO public;
|
|
GRANT ALL ON SCHEMA regtest_schema_2 TO public;
|
|
|
|
SET search_path = regtest_schema_1, regtest_schema_2, public;
|
|
|
|
CREATE TABLE regtest_table_1 (a int, b text);
|
|
|
|
CREATE TABLE regtest_table_2 (c text) inherits (regtest_table_1);
|
|
|
|
CREATE TABLE regtest_table_3 (x int primary key, y text);
|
|
|
|
CREATE SEQUENCE regtest_seq_1;
|
|
|
|
CREATE VIEW regtest_view_1 AS SELECT * FROM regtest_table_1 WHERE a > 0;
|
|
|
|
CREATE FUNCTION regtest_func_1 (text) RETURNS bool
|
|
AS 'BEGIN RETURN true; END' LANGUAGE 'plpgsql';
|
|
|
|
-- switch on debug_audit
|
|
SET sepgsql.debug_audit = true;
|
|
SET client_min_messages = LOG;
|
|
|
|
--
|
|
-- ALTER xxx OWNER TO
|
|
--
|
|
-- XXX: It should take db_xxx:{setattr} permission checks even if
|
|
-- owner is not actually changed.
|
|
--
|
|
ALTER DATABASE regtest_sepgsql_test_database_1 OWNER TO regtest_sepgsql_test_user;
|
|
ALTER DATABASE regtest_sepgsql_test_database_1 OWNER TO regtest_sepgsql_test_user;
|
|
ALTER SCHEMA regtest_schema_1 OWNER TO regtest_sepgsql_test_user;
|
|
ALTER SCHEMA regtest_schema_1 OWNER TO regtest_sepgsql_test_user;
|
|
ALTER TABLE regtest_table_1 OWNER TO regtest_sepgsql_test_user;
|
|
ALTER TABLE regtest_table_1 OWNER TO regtest_sepgsql_test_user;
|
|
ALTER SEQUENCE regtest_seq_1 OWNER TO regtest_sepgsql_test_user;
|
|
ALTER SEQUENCE regtest_seq_1 OWNER TO regtest_sepgsql_test_user;
|
|
ALTER VIEW regtest_view_1 OWNER TO regtest_sepgsql_test_user;
|
|
ALTER VIEW regtest_view_1 OWNER TO regtest_sepgsql_test_user;
|
|
ALTER FUNCTION regtest_func_1(text) OWNER TO regtest_sepgsql_test_user;
|
|
ALTER FUNCTION regtest_func_1(text) OWNER TO regtest_sepgsql_test_user;
|
|
|
|
--
|
|
-- ALTER xxx SET SCHEMA
|
|
--
|
|
ALTER TABLE regtest_table_1 SET SCHEMA regtest_schema_2;
|
|
ALTER SEQUENCE regtest_seq_1 SET SCHEMA regtest_schema_2;
|
|
ALTER VIEW regtest_view_1 SET SCHEMA regtest_schema_2;
|
|
ALTER FUNCTION regtest_func_1(text) SET SCHEMA regtest_schema_2;
|
|
|
|
--
|
|
-- ALTER xxx RENAME TO
|
|
--
|
|
ALTER DATABASE regtest_sepgsql_test_database_1 RENAME TO regtest_sepgsql_test_database;
|
|
ALTER SCHEMA regtest_schema_1 RENAME TO regtest_schema;
|
|
ALTER TABLE regtest_table_1 RENAME TO regtest_table;
|
|
ALTER SEQUENCE regtest_seq_1 RENAME TO regtest_seq;
|
|
ALTER VIEW regtest_view_1 RENAME TO regtest_view;
|
|
ALTER FUNCTION regtest_func_1(text) RENAME TO regtest_func;
|
|
|
|
SET search_path = regtest_schema, regtest_schema_2, public;
|
|
|
|
--
|
|
-- misc ALTER commands
|
|
--
|
|
ALTER DATABASE regtest_sepgsql_test_database CONNECTION LIMIT 999;
|
|
ALTER DATABASE regtest_sepgsql_test_database SET search_path TO regtest_schema, public; -- not supported yet
|
|
|
|
ALTER TABLE regtest_table ADD COLUMN d float;
|
|
ALTER TABLE regtest_table DROP COLUMN d;
|
|
ALTER TABLE regtest_table ALTER b SET DEFAULT 'abcd'; -- not supported yet
|
|
ALTER TABLE regtest_table ALTER b SET DEFAULT 'XYZ'; -- not supported yet
|
|
ALTER TABLE regtest_table ALTER b DROP DEFAULT; -- not supported yet
|
|
ALTER TABLE regtest_table ALTER b SET NOT NULL;
|
|
ALTER TABLE regtest_table ALTER b DROP NOT NULL;
|
|
ALTER TABLE regtest_table ALTER b SET STATISTICS -1;
|
|
ALTER TABLE regtest_table ALTER b SET (n_distinct = 999);
|
|
ALTER TABLE regtest_table ALTER b SET STORAGE PLAIN;
|
|
ALTER TABLE regtest_table ADD CONSTRAINT test_fk FOREIGN KEY (a) REFERENCES regtest_table_3(x); -- not supported
|
|
ALTER TABLE regtest_table ADD CONSTRAINT test_ck CHECK (b like '%abc%') NOT VALID; -- not supported
|
|
ALTER TABLE regtest_table VALIDATE CONSTRAINT test_ck; -- not supported
|
|
ALTER TABLE regtest_table DROP CONSTRAINT test_ck; -- not supported
|
|
|
|
CREATE TRIGGER regtest_test_trig BEFORE UPDATE ON regtest_table
|
|
FOR EACH ROW EXECUTE PROCEDURE suppress_redundant_updates_trigger();
|
|
|
|
ALTER TABLE regtest_table DISABLE TRIGGER regtest_test_trig; -- not supported
|
|
ALTER TABLE regtest_table ENABLE TRIGGER regtest_test_trig; -- not supported
|
|
|
|
CREATE RULE regtest_test_rule AS ON INSERT TO regtest_table_3 DO ALSO NOTHING;
|
|
ALTER TABLE regtest_table_3 DISABLE RULE regtest_test_rule; -- not supported
|
|
ALTER TABLE regtest_table_3 ENABLE RULE regtest_test_rule; -- not supported
|
|
|
|
ALTER TABLE regtest_table SET WITH OIDS;
|
|
ALTER TABLE regtest_table SET WITHOUT OIDS;
|
|
ALTER TABLE regtest_table SET (fillfactor = 75);
|
|
ALTER TABLE regtest_table RESET (fillfactor);
|
|
ALTER TABLE regtest_table_2 NO INHERIT regtest_table; -- not supported
|
|
ALTER TABLE regtest_table_2 INHERIT regtest_table; -- not supported
|
|
ALTER TABLE regtest_table SET TABLESPACE pg_default;
|
|
|
|
ALTER VIEW regtest_view SET (security_barrier);
|
|
|
|
ALTER SEQUENCE regtest_seq INCREMENT BY 10 START WITH 1000;
|
|
|
|
--
|
|
-- clean-up objects
|
|
--
|
|
RESET sepgsql.debug_audit;
|
|
RESET client_min_messages;
|
|
DROP DATABASE regtest_sepgsql_test_database;
|
|
DROP SCHEMA regtest_schema CASCADE;
|
|
DROP SCHEMA regtest_schema_2 CASCADE;
|
|
DROP USER regtest_sepgsql_test_user;
|