Fix sepgsql regression tests.

The regression tests for sepgsql were broken by changes in the
base distro as-shipped policies. Specifically, definition of
unconfined_t in the system default policy was changed to bypass
multi-category rules, which the regression test depended on.
Fix that by defining a custom privileged domain
(sepgsql_regtest_superuser_t) and using it instead of system's
unconfined_t domain. The new sepgsql_regtest_superuser_t domain
performs almost like the current unconfined_t, but restricted by
multi-category policy as the traditional unconfined_t was.

The custom policy module is a self defined domain, and so should not
be affected by related future system policy changes. However, it still
uses the unconfined_u:unconfined_r pair for selinux-user and role.
Those definitions have not been changed for several years and seem
less risky to rely on than the unconfined_t domain. Additionally, if
we define custom user/role, they would need to be manually defined
at the operating system level, adding more complexity to an already
non-standard and complex regression test.

Back-patch to 9.3. The regression tests will need more work before
working correctly on 9.2. Starting with 9.2, sepgsql has had dependencies
on libselinux versions that are only available on newer distros with
the changed set of policies (e.g. RHEL 7.x). On 9.1 sepgsql works
fine with the older distros with original policy set (e.g. RHEL 6.x),
and on which the existing regression tests work fine. We might want
eventually change 9.1 sepgsql regression tests to be more independent
from the underlying OS policies, however more work will be needed to
make that happen and it is not clear that it is worth the effort.

Kohei KaiGai with review by Adam Brightwell and me, commentary by
Stephen, Alvaro, Tom, Robert, and others.

contrib/sepgsql/expected/dml.out

@@ -193,8 +193,8 @@ LINE 1: SELECT * FROM my_schema_2.ts2;
 --
 SELECT sepgsql_getcon();	-- confirm client privilege
                            sepgsql_getcon                            
-------------------------------------------------------
- unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255
+---------------------------------------------------------------------
+ unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255
 (1 row)
 
 DROP TABLE IF EXISTS t1 CASCADE;

contrib/sepgsql/expected/label.out

@@ -176,11 +176,11 @@ LOG:  SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_re
 -- validation of transaction aware dynamic-transition
 SELECT sepgsql_getcon();	-- confirm client privilege
                          sepgsql_getcon                          
---------------------------------------------------
- unconfined_u:unconfined_r:unconfined_t:s0:c0.c25
+-----------------------------------------------------------------
+ unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0:c0.c25
 (1 row)
 
-SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c15');
+SELECT sepgsql_setcon('unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0:c0.c15');
  sepgsql_setcon 
 ----------------
  t
@@ -188,20 +188,20 @@ SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c15');
 
 SELECT sepgsql_getcon();
                          sepgsql_getcon                          
---------------------------------------------------
- unconfined_u:unconfined_r:unconfined_t:s0:c0.c15
+-----------------------------------------------------------------
+ unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0:c0.c15
 (1 row)
 
 SELECT sepgsql_setcon(NULL);	-- failed to reset
 ERROR:  SELinux: security policy violation
 SELECT sepgsql_getcon();
                          sepgsql_getcon                          
---------------------------------------------------
- unconfined_u:unconfined_r:unconfined_t:s0:c0.c15
+-----------------------------------------------------------------
+ unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0:c0.c15
 (1 row)
 
 BEGIN;
-SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c12');
+SELECT sepgsql_setcon('unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0:c0.c12');
  sepgsql_setcon 
 ----------------
  t
@@ -209,12 +209,12 @@ SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c12');
 
 SELECT sepgsql_getcon();
                          sepgsql_getcon                          
---------------------------------------------------
- unconfined_u:unconfined_r:unconfined_t:s0:c0.c12
+-----------------------------------------------------------------
+ unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0:c0.c12
 (1 row)
 
 SAVEPOINT svpt_1;
-SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c9');
+SELECT sepgsql_setcon('unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0:c0.c9');
  sepgsql_setcon 
 ----------------
  t
@@ -222,12 +222,12 @@ SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c9');
 
 SELECT sepgsql_getcon();
                          sepgsql_getcon                         
--------------------------------------------------
- unconfined_u:unconfined_r:unconfined_t:s0:c0.c9
+----------------------------------------------------------------
+ unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0:c0.c9
 (1 row)
 
 SAVEPOINT svpt_2;
-SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c6');
+SELECT sepgsql_setcon('unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0:c0.c6');
  sepgsql_setcon 
 ----------------
  t
@@ -235,12 +235,12 @@ SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c6');
 
 SELECT sepgsql_getcon();
                          sepgsql_getcon                         
--------------------------------------------------
- unconfined_u:unconfined_r:unconfined_t:s0:c0.c6
+----------------------------------------------------------------
+ unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0:c0.c6
 (1 row)
 
 SAVEPOINT svpt_3;
-SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c3');
+SELECT sepgsql_setcon('unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0:c0.c3');
  sepgsql_setcon 
 ----------------
  t
@@ -248,33 +248,33 @@ SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c3');
 
 SELECT sepgsql_getcon();
                          sepgsql_getcon                         
--------------------------------------------------
- unconfined_u:unconfined_r:unconfined_t:s0:c0.c3
+----------------------------------------------------------------
+ unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0:c0.c3
 (1 row)
 
 ROLLBACK TO SAVEPOINT svpt_2;
 SELECT sepgsql_getcon();		-- should be 's0:c0.c9'
                          sepgsql_getcon                         
--------------------------------------------------
- unconfined_u:unconfined_r:unconfined_t:s0:c0.c9
+----------------------------------------------------------------
+ unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0:c0.c9
 (1 row)
 
 ROLLBACK TO SAVEPOINT svpt_1;
 SELECT sepgsql_getcon();		-- should be 's0:c0.c12'
                          sepgsql_getcon                          
---------------------------------------------------
- unconfined_u:unconfined_r:unconfined_t:s0:c0.c12
+-----------------------------------------------------------------
+ unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0:c0.c12
 (1 row)
 
 ABORT;
 SELECT sepgsql_getcon();		-- should be 's0:c0.c15'
                          sepgsql_getcon                          
---------------------------------------------------
- unconfined_u:unconfined_r:unconfined_t:s0:c0.c15
+-----------------------------------------------------------------
+ unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0:c0.c15
 (1 row)
 
 BEGIN;
-SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c8');
+SELECT sepgsql_setcon('unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0:c0.c8');
  sepgsql_setcon 
 ----------------
  t
@@ -282,12 +282,12 @@ SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c8');
 
 SELECT sepgsql_getcon();
                          sepgsql_getcon                         
--------------------------------------------------
- unconfined_u:unconfined_r:unconfined_t:s0:c0.c8
+----------------------------------------------------------------
+ unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0:c0.c8
 (1 row)
 
 SAVEPOINT svpt_1;
-SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c4');
+SELECT sepgsql_setcon('unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0:c0.c4');
  sepgsql_setcon 
 ----------------
  t
@@ -295,18 +295,18 @@ SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c4');
 
 SELECT sepgsql_getcon();
                          sepgsql_getcon                         
--------------------------------------------------
- unconfined_u:unconfined_r:unconfined_t:s0:c0.c4
+----------------------------------------------------------------
+ unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0:c0.c4
 (1 row)
 
 ROLLBACK TO SAVEPOINT svpt_1;
 SELECT sepgsql_getcon();		-- should be 's0:c0.c8'
                          sepgsql_getcon                         
--------------------------------------------------
- unconfined_u:unconfined_r:unconfined_t:s0:c0.c8
+----------------------------------------------------------------
+ unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0:c0.c8
 (1 row)
 
-SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c6');
+SELECT sepgsql_setcon('unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0:c0.c6');
  sepgsql_setcon 
 ----------------
  t
@@ -315,8 +315,8 @@ SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c6');
 COMMIT;
 SELECT sepgsql_getcon();		-- should be 's0:c0.c6'
                          sepgsql_getcon                         
--------------------------------------------------
- unconfined_u:unconfined_r:unconfined_t:s0:c0.c6
+----------------------------------------------------------------
+ unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0:c0.c6
 (1 row)
 
 -- sepgsql_regtest_user_t is not available dynamic-transition,
@@ -494,8 +494,8 @@ SELECT sepgsql_getcon();
 --
 SELECT sepgsql_getcon();	-- confirm client privilege
                            sepgsql_getcon                            
-------------------------------------------------------
- unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255
+---------------------------------------------------------------------
+ unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255
 (1 row)
 
 DROP TABLE IF EXISTS t1 CASCADE;

contrib/sepgsql/expected/misc.out

@@ -12,11 +12,11 @@ SET sepgsql.debug_audit = on;
 SET client_min_messages = log;
 -- regular function and operators
 SELECT * FROM t1 WHERE x > 50 AND y like '%64%';
-LOG:  SELinux: allowed { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="public.t1"
-LOG:  SELinux: allowed { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table t1 column x"
-LOG:  SELinux: allowed { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table t1 column y"
-LOG:  SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.int4gt(integer,integer)"
-LOG:  SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.textlike(pg_catalog.text,pg_catalog.text)"
+LOG:  SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="public.t1"
+LOG:  SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table t1 column x"
+LOG:  SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table t1 column y"
+LOG:  SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.int4gt(integer,integer)"
+LOG:  SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.textlike(pg_catalog.text,pg_catalog.text)"
   x  |                y                 
 -----+----------------------------------
   77 | 28dd2c7955ce926456240b2ff0100bde
@@ -29,13 +29,13 @@ LOG:  SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:unconfined
 
 -- aggregate function
 SELECT MIN(x), AVG(x) FROM t1;
-LOG:  SELinux: allowed { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="public.t1"
-LOG:  SELinux: allowed { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table t1 column x"
-LOG:  SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.avg(integer)"
-LOG:  SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.int4_avg_accum(bigint[],integer)"
-LOG:  SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.int8_avg(bigint[])"
-LOG:  SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.min(integer)"
-LOG:  SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.int4smaller(integer,integer)"
+LOG:  SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="public.t1"
+LOG:  SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table t1 column x"
+LOG:  SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.avg(integer)"
+LOG:  SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.int4_avg_accum(bigint[],integer)"
+LOG:  SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.int8_avg(bigint[])"
+LOG:  SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.min(integer)"
+LOG:  SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.int4smaller(integer,integer)"
  min |         avg         
 -----+---------------------
    1 | 50.5000000000000000
@@ -43,11 +43,11 @@ LOG:  SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:unconfined
 
 -- window function
 SELECT row_number() OVER (order by x), * FROM t1 WHERE y like '%86%';
-LOG:  SELinux: allowed { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="public.t1"
-LOG:  SELinux: allowed { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table t1 column x"
-LOG:  SELinux: allowed { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table t1 column y"
-LOG:  SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.row_number()"
-LOG:  SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.textlike(pg_catalog.text,pg_catalog.text)"
+LOG:  SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="public.t1"
+LOG:  SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table t1 column x"
+LOG:  SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table t1 column y"
+LOG:  SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.row_number()"
+LOG:  SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.textlike(pg_catalog.text,pg_catalog.text)"
  row_number | x  |                y                 
 ------------+----+----------------------------------
           1 |  2 | c81e728d9d4c2f636f067f89cc14862c

contrib/sepgsql/launcher

@@ -21,7 +21,7 @@ fi
 # Read SQL from stdin
 #
 TEMP=`mktemp`
-CONTEXT=""
+CONTEXT="unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255"
 
 while IFS='\\n' read LINE
 do

contrib/sepgsql/sepgsql-regtest.te

-policy_module(sepgsql-regtest, 1.07)
+policy_module(sepgsql-regtest, 1.08)
 
 gen_require(`
 	all_userspace_class_perms
@@ -23,6 +23,35 @@ postgresql_procedure_object(sepgsql_nosuch_trusted_proc_exec_t)
 type sepgsql_regtest_invisible_schema_t;
 postgresql_schema_object(sepgsql_regtest_invisible_schema_t);
 
+#
+# Test domains for self defined unconfined / superuser
+#
+role sepgsql_regtest_superuser_r;
+userdom_base_user_template(sepgsql_regtest_superuser)
+userdom_manage_home_role(sepgsql_regtest_superuser_r, sepgsql_regtest_superuser_t)
+userdom_exec_user_home_content_files(sepgsql_regtest_superuser_t)
+userdom_write_user_tmp_sockets(sepgsql_regtest_superuser_t)
+optional_policy(`
+	postgresql_stream_connect(sepgsql_regtest_superuser_t)
+	postgresql_unconfined(sepgsql_regtest_superuser_t)
+')
+optional_policy(`
+	unconfined_stream_connect(sepgsql_regtest_superuser_t)
+	unconfined_rw_pipes(sepgsql_regtest_superuser_t)
+')
+optional_policy(`
+	gen_require(`
+		attribute sepgsql_client_type;
+	')
+	allow sepgsql_regtest_superuser_t self : process { setcurrent };
+	allow sepgsql_regtest_superuser_t { self sepgsql_client_type } : process { dyntransition };
+')
+
+# Type transition rules
+allow sepgsql_regtest_user_t sepgsql_regtest_dba_t : process { transition };
+type_transition sepgsql_regtest_user_t sepgsql_regtest_trusted_proc_exec_t:process sepgsql_regtest_dba_t;
+type_transition sepgsql_regtest_user_t sepgsql_nosuch_trusted_proc_exec_t:process sepgsql_regtest_nosuch_t;
+
 #
 # Test domains for database administrators
 #
@@ -156,10 +185,12 @@ optional_policy(`
 	tunable_policy(`sepgsql_regression_test_mode',`
 		allow unconfined_t self : process { setcurrent dyntransition };
 		allow unconfined_t sepgsql_regtest_dba_t : process { transition dyntransition };
+		allow unconfined_t sepgsql_regtest_superuser_t : process { transition dyntransition };
 		allow unconfined_t sepgsql_regtest_user_t : process { transition dyntransition };
 		allow unconfined_t sepgsql_regtest_pool_t : process { transition dyntransition };
 	')
 	role unconfined_r types sepgsql_regtest_dba_t;
+	role unconfined_r types sepgsql_regtest_superuser_t;
 	role unconfined_r types sepgsql_regtest_user_t;
 	role unconfined_r types sepgsql_regtest_nosuch_t;
 	role unconfined_r types sepgsql_trusted_proc_t;
@@ -169,6 +200,32 @@ optional_policy(`
 	role unconfined_r types sepgsql_regtest_var_t;
 ')
 
+#
+# Rule to make MCS policy work on regression test
+#
+# NOTE: MCS (multi category security) policy was enabled by default, to
+# allow DAC style access control, in the previous selinux policy.
+# However, its definition was changed later, then a limited number of
+# applications are restricted by MCS policy, for container features
+# mainly. The rules below enables MCS policy for domains of regression
+# test also, even if base security policy does not apply. If base policy
+# is old and MCS is enabled in default, rules below does nothing.
+#
+optional_policy(`
+	gen_require(`
+		type sepgsql_trusted_proc_t;
+	')
+	mcs_constrained(sepgsql_regtest_dba_t)
+	mcs_constrained(sepgsql_regtest_superuser_t)
+	mcs_constrained(sepgsql_regtest_user_t)
+	mcs_constrained(sepgsql_regtest_nosuch_t)
+	mcs_constrained(sepgsql_trusted_proc_t)
+
+	mcs_constrained(sepgsql_regtest_pool_t)
+	mcs_constrained(sepgsql_regtest_foo_t)
+	mcs_constrained(sepgsql_regtest_var_t)
+')
+
 #
 # Rule to execute original trusted procedures
 #

contrib/sepgsql/sql/alter.sql

@@ -9,7 +9,7 @@ DROP DATABASE IF EXISTS regtest_sepgsql_test_database;
 DROP USER IF EXISTS regtest_sepgsql_test_user;
 RESET client_min_messages;
 
--- @SECURITY-CONTEXT=unconfined_u:unconfined_r:unconfined_t:s0
+-- @SECURITY-CONTEXT=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0
 
 --
 -- CREATE Objects to be altered (with debug_audit being silent)

contrib/sepgsql/sql/ddl.sql

@@ -9,7 +9,7 @@ DROP USER IF EXISTS regtest_sepgsql_test_user;
 RESET client_min_messages;
 
 -- confirm required permissions using audit messages
--- @SECURITY-CONTEXT=unconfined_u:unconfined_r:unconfined_t:s0
+-- @SECURITY-CONTEXT=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0
 SET sepgsql.debug_audit = true;
 SET client_min_messages = LOG;
 

contrib/sepgsql/sql/dml.sql

@@ -126,7 +126,7 @@ SELECT * FROM my_schema_2.ts2;	-- failed (policy violation)
 --
 -- Clean up
 --
--- @SECURITY-CONTEXT=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255
+-- @SECURITY-CONTEXT=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255
 DROP TABLE IF EXISTS t1 CASCADE;
 DROP TABLE IF EXISTS t2 CASCADE;
 DROP TABLE IF EXISTS t3 CASCADE;

contrib/sepgsql/sql/label.sql

@@ -110,27 +110,27 @@ SELECT sepgsql_getcon();	-- client's label must be restored
 --
 
 -- validation of transaction aware dynamic-transition
--- @SECURITY-CONTEXT=unconfined_u:unconfined_r:unconfined_t:s0:c0.c25
-SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c15');
+-- @SECURITY-CONTEXT=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0:c0.c25
+SELECT sepgsql_setcon('unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0:c0.c15');
 SELECT sepgsql_getcon();
 
 SELECT sepgsql_setcon(NULL);	-- failed to reset
 SELECT sepgsql_getcon();
 
 BEGIN;
-SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c12');
+SELECT sepgsql_setcon('unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0:c0.c12');
 SELECT sepgsql_getcon();
 
 SAVEPOINT svpt_1;
-SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c9');
+SELECT sepgsql_setcon('unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0:c0.c9');
 SELECT sepgsql_getcon();
 
 SAVEPOINT svpt_2;
-SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c6');
+SELECT sepgsql_setcon('unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0:c0.c6');
 SELECT sepgsql_getcon();
 
 SAVEPOINT svpt_3;
-SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c3');
+SELECT sepgsql_setcon('unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0:c0.c3');
 SELECT sepgsql_getcon();
 
 ROLLBACK TO SAVEPOINT svpt_2;
@@ -143,16 +143,16 @@ ABORT;
 SELECT sepgsql_getcon();		-- should be 's0:c0.c15'
 
 BEGIN;
-SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c8');
+SELECT sepgsql_setcon('unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0:c0.c8');
 SELECT sepgsql_getcon();
 
 SAVEPOINT svpt_1;
-SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c4');
+SELECT sepgsql_setcon('unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0:c0.c4');
 SELECT sepgsql_getcon();
 
 ROLLBACK TO SAVEPOINT svpt_1;
 SELECT sepgsql_getcon();		-- should be 's0:c0.c8'
-SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c6');
+SELECT sepgsql_setcon('unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0:c0.c6');
 
 COMMIT;
 SELECT sepgsql_getcon();		-- should be 's0:c0.c6'
@@ -231,7 +231,7 @@ SELECT sepgsql_getcon();
 --
 -- Clean up
 --
--- @SECURITY-CONTEXT=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255
+-- @SECURITY-CONTEXT=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255
 DROP TABLE IF EXISTS t1 CASCADE;
 DROP TABLE IF EXISTS t2 CASCADE;
 DROP TABLE IF EXISTS t3 CASCADE;