Changeset: 8125f999c846 for MonetDB URL: https://dev.monetdb.org/hg/MonetDB?cmd=changeset;node=8125f999c846 Added Files: buildtools/selinux/monetdb.fc buildtools/selinux/monetdb.if buildtools/selinux/monetdb.te sql/jdbc/tests/Tests/Bug_PrepStmtSetObject_CLOB_6349.SQL.bat sql/jdbc/tests/Tests/Bug_PrepStmtSetObject_CLOB_6349.SQL.sh sql/jdbc/tests/Tests/Bug_PrepStmtSetObject_CLOB_6349.stable.err sql/jdbc/tests/Tests/Bug_PrepStmtSetObject_CLOB_6349.stable.out Modified Files: MonetDB.spec NT/monetdb_config.h.in buildtools/ChangeLog.Jul2017 buildtools/Makefile.ag clients/mapiclient/mnc.c clients/mapilib/mapi.c common/stream/stream.c common/utils/mutils.c common/utils/prompt.c gdk/ChangeLog.Jul2017 gdk/gdk_posix.c gdk/gdk_storage.c monetdb5/mal/mal_linker.c monetdb5/mal/mal_profiler.c monetdb5/modules/mal/mal_mapi.c sql/jdbc/tests/Tests/All sql/jdbc/tests/Tests/Test_Dobjects.stable.out sql/test/remote/Tests/ssbm.stable.out testing/Mtest.py.in tools/merovingian/ChangeLog.Jul2017 tools/merovingian/daemon/client.c tools/merovingian/daemon/connections.c tools/merovingian/daemon/controlrunner.c tools/merovingian/daemon/handlers.c tools/merovingian/daemon/merovingian.c tools/merovingian/daemon/monetdbd.service.in tools/merovingian/daemon/multiplex-funnel.c tools/merovingian/daemon/proxy.c tools/merovingian/utils/control.c tools/merovingian/utils/utils.c Branch: default Log Message:
Merge with Jul2017 branch. diffs (truncated from 1140 to 300 lines): diff --git a/MonetDB.spec b/MonetDB.spec --- a/MonetDB.spec +++ b/MonetDB.spec @@ -135,9 +135,11 @@ URL: https://www.monetdb.org/ Source: https://www.monetdb.org/downloads/sources/Jul2017/%{name}-%{version}.tar.bz2 # we need systemd for the _unitdir macro to exist +# we need checkpolicy and selinux-policy-devel for the SELinux policy %if %{?rhel:0}%{!?rhel:1} || 0%{?rhel} >= 7 # RHEL >= 7, and all current Fedora BuildRequires: systemd +BuildRequires: checkpolicy, selinux-policy-devel, hardlink %endif BuildRequires: bison BuildRequires: bzip2-devel @@ -879,6 +881,62 @@ developer, but if you do want to test, t %dir %{python2_sitelib}/MonetDBtesting %{python2_sitelib}/MonetDBtesting/* +%if %{?rhel:0}%{!?rhel:1} || 0%{?rhel} >= 7 +%package selinux +Summary: MonetDB - Monet Database Management System +Group: Applications/Databases +%if "%{_selinux_policy_version}" != "" +Requires: selinux-policy >= %{_selinux_policy_version} +%endif +Requires: %{name}-SQL-server5 = %{version}-%{release} +Requires(post): /usr/sbin/semodule, /sbin/restorecon, /sbin/fixfiles, MonetDB-SQL-server5, MonetDB5-server +Requires(postun): /usr/sbin/semodule, /sbin/restorecon, /sbin/fixfiles, MonetDB-SQL-server5, MonetDB5-server +BuildArch: noarch + +%global selinux_types %(%{__awk} '/^#[[:space:]]*SELINUXTYPE=/,/^[^#]/ { if ($3 == "-") printf "%s ", $2 }' /etc/selinux/config 2>/dev/null) +%global selinux_variants %([ -z "%{selinux_types}" ] && echo mls targeted || echo %{selinux_types}) + +%description selinux +MonetDB is a database management system that is developed from a +main-memory perspective with use of a fully decomposed storage model, +automatic index management, extensibility of data types and search +accelerators. It also has an SQL frontend. + +This package contains the SELinux policy for running MonetDB under +control of systemd. + +%post selinux +for selinuxvariant in %{selinux_variants} +do + /usr/sbin/semodule -s ${selinuxvariant} -i \ + %{_datadir}/selinux/${selinuxvariant}/monetdb.pp &> /dev/null || : +done +/sbin/restorecon -R %{_localstatedir}/monetdb5 %{_localstatedir}/log/monetdb %{_localstatedir}/run/monetdb %{_bindir}/monetdbd %{_bindir}/mserver5 %{_unitdir}/monetdbd.service &> /dev/null || : +/usr/bin/systemctl try-restart monetdbd.service + +%postun selinux +if [ $1 -eq 0 ] ; then + active=`/usr/bin/systemctl is-active monetdbd.service` + if [ $active = active ]; then + /usr/bin/systemctl stop monetdbd.service + fi + for selinuxvariant in %{selinux_variants} + do + /usr/sbin/semodule -s ${selinuxvariant} -r monetdb &> /dev/null || : + done + /sbin/restorecon -R %{_localstatedir}/monetdb5 %{_localstatedir}/log/monetdb %{_localstatedir}/run/monetdb %{_bindir}/monetdbd %{_bindir}/mserver5 %{_unitdir}/monetdbd.service &> /dev/null || : + if [ $active = active ]; then + /usr/bin/systemctl start monetdbd.service + fi +fi + +%files selinux +%defattr(-,root,root,0755) +%doc buildtools/selinux/* +%{_datadir}/selinux/*/monetdb.pp + +%endif + %prep %setup -q @@ -940,6 +998,15 @@ fi make %{?_smp_mflags} +cd buildtools/selinux +for selinuxvariant in %{selinux_variants} +do + make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile + mv monetdb.pp monetdb.pp.${selinuxvariant} + make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile clean +done +cd - + %install %make_install @@ -955,6 +1022,14 @@ rm -f %{buildroot}%{_libdir}/monetdb5/*. # internal development stuff rm -f %{buildroot}%{_bindir}/Maddlog +for selinuxvariant in %{selinux_variants} +do + install -d %{buildroot}%{_datadir}/selinux/${selinuxvariant} + install -p -m 644 buildtools/selinux/monetdb.pp.${selinuxvariant} \ + %{buildroot}%{_datadir}/selinux/${selinuxvariant}/monetdb.pp +done +/usr/sbin/hardlink -cv %{buildroot}%{_datadir}/selinux + %post -p /sbin/ldconfig %postun -p /sbin/ldconfig diff --git a/NT/monetdb_config.h.in b/NT/monetdb_config.h.in --- a/NT/monetdb_config.h.in +++ b/NT/monetdb_config.h.in @@ -1028,6 +1028,9 @@ typedef unsigned __int64 uint64_t; #define false 0 #define __bool_true_false_are_defined 1 +/* normally defined in fcntl.h, but not on Windows */ +#define O_CLOEXEC 0 + #ifdef HAVE_LONG_LONG typedef long long lng; diff --git a/buildtools/ChangeLog.Jul2017 b/buildtools/ChangeLog.Jul2017 --- a/buildtools/ChangeLog.Jul2017 +++ b/buildtools/ChangeLog.Jul2017 @@ -1,3 +1,14 @@ # ChangeLog file for buildtools # This file is updated with Maddlog +* Fri Jul 14 2017 Sjoerd Mullender <[email protected]> +- Added a new RPM called MonetDB-selinux which provides the SELinux + policy required to run MonetDB under systemd, especially on Fedora 26. + +* Fri Jul 7 2017 Sjoerd Mullender <[email protected]> +- The Windows installers (*.msi files) are now created using the WiX + Toolset. +- The Windows binaries are now built using Visual Studio 2015. Because of + this, you may need to install the Visual C++ Redistributable for Visual + Studio 2015 before being able to run MonetDB. + diff --git a/buildtools/Makefile.ag b/buildtools/Makefile.ag --- a/buildtools/Makefile.ag +++ b/buildtools/Makefile.ag @@ -6,4 +6,4 @@ SUBDIRS = conf -EXTRA_DIST_DIR = autogen doc +EXTRA_DIST_DIR = autogen doc selinux diff --git a/buildtools/selinux/monetdb.fc b/buildtools/selinux/monetdb.fc new file mode 100644 --- /dev/null +++ b/buildtools/selinux/monetdb.fc @@ -0,0 +1,9 @@ +/usr/bin/monetdbd -- gen_context(system_u:object_r:monetdbd_exec_t,s0) +/usr/bin/mserver5 -- gen_context(system_u:object_r:mserver5_exec_t,s0) +/usr/lib/systemd/system/monetdbd.* gen_context(system_u:object_r:monetdbd_unit_file_t,s0) +/var/log/monetdb(/.*)? gen_context(system_u:object_r:monetdbd_log_t,s0) +/var/monetdb5/dbfarm(/.*)? gen_context(system_u:object_r:mserver5_db_t,s0) +/var/monetdb5/dbfarm/\.merovingian_properties -- gen_context(system_u:object_r:monetdbd_etc_t,s0) +/var/run/monetdb(/.*)? gen_context(system_u:object_r:monetdbd_var_run_t,s0) +/var/monetdb5/dbfarm/\.merovingian_lock -- gen_context(system_u:object_r:monetdbd_lock_t,s0) +/var/monetdb5/dbfarm/.*/\.gdk_lock -- gen_context(system_u:object_r:mserver5_lock_t,s0) diff --git a/buildtools/selinux/monetdb.if b/buildtools/selinux/monetdb.if new file mode 100644 --- /dev/null +++ b/buildtools/selinux/monetdb.if @@ -0,0 +1,1 @@ +## <summary></summary> diff --git a/buildtools/selinux/monetdb.te b/buildtools/selinux/monetdb.te new file mode 100644 --- /dev/null +++ b/buildtools/selinux/monetdb.te @@ -0,0 +1,103 @@ +policy_module(monetdb, 0.1) +# The above line declares that this file is a SELinux policy file. Its +# name is monetdb, so the file should be saved as monetdb.te + +# First, we declare the monetdbd_t domain, used for the "monetdbd" +# process. Because it is launched by systemd, we tell the policy that +# monetdbd_exec_t (the context of monetdbd), when launched by systemd, +# should transition to monetdbd_t. +type monetdbd_t; # monetdbd when run by systemd +type monetdbd_exec_t; # /usr/bin/monetdbd +init_daemon_domain(monetdbd_t, monetdbd_exec_t) + +# monetdbd_t must be allowed to execute mserver5 which has context +# mserver5_exec_t which must then transition to the mserver5_t domain +type mserver5_t; # mserver5 when run by monetdbd (monetdbd_t) +type mserver5_exec_t; # /usr/bin/mserver5 +application_domain(mserver5_t, mserver5_exec_t) +# see https://selinuxproject.org/page/NB_Domain_and_Object_Transitions#Domain_Transition +allow monetdbd_t mserver5_t:process transition; +allow monetdbd_t mserver5_exec_t:file { execute open read getattr }; +allow mserver5_t mserver5_exec_t:file { entrypoint read execute }; +type_transition monetdbd_t mserver5_exec_t:process mserver5_t; + +# declare a type for the systemd unit file (monetdbd.service) +type monetdbd_unit_file_t; +systemd_unit_file(monetdbd_unit_file_t) + +# declare a type for the log files +type monetdbd_log_t; +logging_log_file(monetdbd_log_t) +manage_dirs_pattern(monetdbd_t, monetdbd_log_t, monetdbd_log_t) +manage_files_pattern(monetdbd_t, monetdbd_log_t, monetdbd_log_t) +logging_log_filetrans(monetdbd_t, monetdbd_log_t, { file dir }) + +# the context used for the MonetDB database files +type mserver5_db_t; +files_type(mserver5_db_t) +manage_files_pattern(mserver5_t, mserver5_db_t, mserver5_db_t) +manage_dirs_pattern(mserver5_t, mserver5_db_t, mserver5_db_t) +manage_files_pattern(monetdbd_t, mserver5_db_t, mserver5_db_t) +manage_dirs_pattern(monetdbd_t, mserver5_db_t, mserver5_db_t) + +# the context used for the configuration files +type monetdbd_etc_t; +files_config_file(monetdbd_etc_t) +read_files_pattern(monetdbd_t, monetdbd_etc_t, monetdbd_etc_t) +read_lnk_files_pattern(monetdbd_t, monetdbd_etc_t, monetdbd_etc_t) + +# the context used for the PID file +type monetdbd_var_run_t; +files_pid_file(monetdbd_var_run_t) +init_daemon_run_dir(monetdbd_var_run_t, "monetdb") +manage_dirs_pattern(monetdbd_t, monetdbd_var_run_t, monetdbd_var_run_t) +manage_files_pattern(monetdbd_t, monetdbd_var_run_t, monetdbd_var_run_t) + +# context for .merovingian_lock file +type monetdbd_lock_t; +files_lock_file(monetdbd_lock_t) +allow monetdbd_t monetdbd_lock_t:file manage_file_perms; +files_lock_filetrans(monetdbd_t, monetdbd_lock_t, file, ".merovingian_lock") + +# context for .gdk_lock file inside the database +# these files get locked by mserver5, but also by monetdbd +type mserver5_lock_t; +files_lock_file(mserver5_lock_t) +allow mserver5_t mserver5_lock_t:file manage_file_perms; +files_lock_filetrans(mserver5_t, mserver5_lock_t, file, ".gdk_lock") +allow monetdbd_t mserver5_lock_t:file manage_file_perms; +files_lock_filetrans(monetdbd_t, mserver5_lock_t, file, ".gdk_lock") + +# other required permissions +dev_read_rand(monetdbd_t) +sysnet_dns_name_resolve(monetdbd_t) +corenet_udp_bind_generic_node(monetdbd_t) +corenet_tcp_bind_generic_node(monetdbd_t) +allow monetdbd_t self:tcp_socket create_stream_socket_perms; +allow monetdbd_t self:udp_socket create_stream_socket_perms; +allow monetdbd_t self:unix_dgram_socket create_socket_perms; +allow monetdbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow monetdbd_t self:netlink_selinux_socket create_socket_perms; +manage_dirs_pattern(monetdbd_t, tmp_t, tmp_t) +manage_sock_files_pattern(monetdbd_t, tmp_t, tmp_t) +manage_sock_files_pattern(monetdbd_t, mserver5_db_t, mserver5_db_t) + +dev_read_rand(mserver5_t) +allow mserver5_t monetdbd_t:fd { use }; +allow monetdbd_t mserver5_t:process { rlimitinh siginh signal }; +dev_rw_null(mserver5_t) +sysnet_dns_name_resolve(mserver5_t) +corenet_udp_bind_generic_node(mserver5_t) +corenet_tcp_bind_generic_node(mserver5_t) +allow mserver5_t self:tcp_socket create_stream_socket_perms; +allow mserver5_t self:udp_socket create_stream_socket_perms; +allow mserver5_t self:unix_dgram_socket create_socket_perms; +allow mserver5_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow mserver5_t self:netlink_selinux_socket create_socket_perms; +manage_dirs_pattern(mserver5_t, tmp_t, tmp_t) +manage_sock_files_pattern(mserver5_t, tmp_t, tmp_t) +manage_sock_files_pattern(mserver5_t, mserver5_db_t, mserver5_db_t) +allow mserver5_t monetdbd_t:fifo_file { read write getattr }; +allow mserver5_t monetdbd_t:unix_stream_socket { read write getopt shutdown }; +allow mserver5_t var_t:dir { read }; +allow monetdbd_t mserver5_t:unix_stream_socket { connectto }; diff --git a/clients/mapiclient/mnc.c b/clients/mapiclient/mnc.c --- a/clients/mapiclient/mnc.c +++ b/clients/mapiclient/mnc.c @@ -172,6 +172,9 @@ main(int argc, char **argv) break; /* success */ closesocket(s); } +#ifdef HAVE_FCNTL + fcntl(s, F_SETFD, FD_CLOEXEC); +#endif freeaddrinfo(res); if (rp == NULL) { fprintf(stderr, "could not connect to %s:%s: %s\n", @@ -197,6 +200,9 @@ main(int argc, char **argv) fprintf(stderr, "opening socket failed: %s\n", strerror(errno)); exit(1); } +#ifdef HAVE_FCNTL + fcntl(s, F_SETFD, FD_CLOEXEC); +#endif if (connect(s, serv, sizeof(server)) == SOCKET_ERROR) { fprintf(stderr, _______________________________________________ checkin-list mailing list [email protected] https://www.monetdb.org/mailman/listinfo/checkin-list
