[people/stevee/selinux-policy.git] / policy / modules / services / postgresql.te


policy_module(postgresql,1.4.1)

#################################
#
# Declarations
#
type postgresql_t;
type postgresql_exec_t;
init_daemon_domain(postgresql_t,postgresql_exec_t)

type postgresql_db_t;
files_type(postgresql_db_t)

type postgresql_etc_t;
files_config_file(postgresql_etc_t)

type postgresql_lock_t;
files_lock_file(postgresql_lock_t)

type postgresql_log_t;
logging_log_file(postgresql_log_t)

type postgresql_tmp_t;
files_tmp_file(postgresql_tmp_t)

type postgresql_var_run_t;
files_pid_file(postgresql_var_run_t)

########################################
#
# postgresql Local policy
#
allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config sys_admin };
dontaudit postgresql_t self:capability { sys_tty_config sys_admin };
allow postgresql_t self:process signal_perms;
allow postgresql_t self:fifo_file { getattr read write ioctl };
allow postgresql_t self:file { getattr read };
allow postgresql_t self:sem create_sem_perms;
allow postgresql_t self:shm create_shm_perms;
allow postgresql_t self:tcp_socket create_stream_socket_perms;
allow postgresql_t self:udp_socket create_stream_socket_perms;
allow postgresql_t self:unix_dgram_socket create_socket_perms;
allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
allow postgresql_t self:netlink_route_socket r_netlink_socket_perms;

manage_dirs_pattern(postgresql_t,postgresql_db_t,postgresql_db_t)
manage_files_pattern(postgresql_t,postgresql_db_t,postgresql_db_t)
manage_lnk_files_pattern(postgresql_t,postgresql_db_t,postgresql_db_t)
manage_fifo_files_pattern(postgresql_t,postgresql_db_t,postgresql_db_t)
manage_sock_files_pattern(postgresql_t,postgresql_db_t,postgresql_db_t)
files_var_lib_filetrans(postgresql_t, postgresql_db_t, { dir file lnk_file sock_file fifo_file })

allow postgresql_t postgresql_etc_t:dir list_dir_perms;
read_files_pattern(postgresql_t,postgresql_etc_t,postgresql_etc_t)
read_lnk_files_pattern(postgresql_t,postgresql_etc_t,postgresql_etc_t)

allow postgresql_t postgresql_exec_t:lnk_file { getattr read };
can_exec(postgresql_t, postgresql_exec_t )

allow postgresql_t postgresql_lock_t:file manage_file_perms;
files_lock_filetrans(postgresql_t,postgresql_lock_t,file)

manage_files_pattern(postgresql_t,postgresql_log_t,postgresql_log_t)
logging_log_filetrans(postgresql_t,postgresql_log_t,{ file dir })

manage_dirs_pattern(postgresql_t,postgresql_tmp_t,postgresql_tmp_t)
manage_files_pattern(postgresql_t,postgresql_tmp_t,postgresql_tmp_t)
manage_lnk_files_pattern(postgresql_t,postgresql_tmp_t,postgresql_tmp_t)
manage_fifo_files_pattern(postgresql_t,postgresql_tmp_t,postgresql_tmp_t)
manage_sock_files_pattern(postgresql_t,postgresql_tmp_t,postgresql_tmp_t)
files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file })
fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file })

manage_files_pattern(postgresql_t,postgresql_var_run_t,postgresql_var_run_t)
manage_sock_files_pattern(postgresql_t,postgresql_var_run_t,postgresql_var_run_t)
files_pid_filetrans(postgresql_t,postgresql_var_run_t,file)

kernel_read_kernel_sysctls(postgresql_t)
kernel_read_system_state(postgresql_t)
kernel_list_proc(postgresql_t)
kernel_read_all_sysctls(postgresql_t)
kernel_read_proc_symlinks(postgresql_t)

corenet_all_recvfrom_unlabeled(postgresql_t)
corenet_all_recvfrom_netlabel(postgresql_t)
corenet_tcp_sendrecv_all_if(postgresql_t)
corenet_udp_sendrecv_all_if(postgresql_t)
corenet_tcp_sendrecv_all_nodes(postgresql_t)
corenet_udp_sendrecv_all_nodes(postgresql_t)
corenet_tcp_sendrecv_all_ports(postgresql_t)
corenet_udp_sendrecv_all_ports(postgresql_t)
corenet_tcp_bind_all_nodes(postgresql_t)
corenet_tcp_bind_postgresql_port(postgresql_t)
corenet_tcp_connect_auth_port(postgresql_t)
corenet_sendrecv_postgresql_server_packets(postgresql_t)
corenet_sendrecv_auth_client_packets(postgresql_t)

dev_read_sysfs(postgresql_t)
dev_read_urand(postgresql_t)

fs_getattr_all_fs(postgresql_t)
fs_search_auto_mountpoints(postgresql_t)

term_use_controlling_term(postgresql_t)

corecmd_exec_bin(postgresql_t)
corecmd_exec_shell(postgresql_t)

domain_dontaudit_list_all_domains_state(postgresql_t)
domain_use_interactive_fds(postgresql_t)

files_dontaudit_search_home(postgresql_t)
files_manage_etc_files(postgresql_t)
files_search_etc(postgresql_t)
files_read_etc_runtime_files(postgresql_t)
files_read_usr_files(postgresql_t)

init_read_utmp(postgresql_t)

libs_use_ld_so(postgresql_t)
libs_use_shared_libs(postgresql_t)

logging_send_syslog_msg(postgresql_t)

miscfiles_read_localization(postgresql_t)

seutil_dontaudit_search_config(postgresql_t)

sysnet_read_config(postgresql_t)
sysnet_use_ldap(postgresql_t)

userdom_dontaudit_search_sysadm_home_dirs(postgresql_t)
userdom_dontaudit_use_sysadm_ttys(postgresql_t)
userdom_dontaudit_use_unpriv_user_fds(postgresql_t)

mta_getattr_spool(postgresql_t)

tunable_policy(`allow_execmem',`
	allow postgresql_t self:process execmem;
')

optional_policy(`
	consoletype_exec(postgresql_t)
')

optional_policy(`
	cron_search_spool(postgresql_t)
	cron_system_entry(postgresql_t,postgresql_exec_t)
')

optional_policy(`
	hostname_exec(postgresql_t)
')

optional_policy(`
	kerberos_use(postgresql_t)
')

optional_policy(`
	nis_use_ypbind(postgresql_t)
')

optional_policy(`
	seutil_sigchld_newrole(postgresql_t)
')

optional_policy(`
	udev_read_db(postgresql_t)
')
Commit	Line	Data
a1fcff33	1
12e9ea1a	2	policy_module(postgresql,1.4.1)
a1fcff33 CP	3
	4	#################################
	5	#
	6	# Declarations
	7	#
	8	type postgresql_t;
	9	type postgresql_exec_t;
	10	init_daemon_domain(postgresql_t,postgresql_exec_t)
	11
	12	type postgresql_db_t;
	13	files_type(postgresql_db_t)
	14
9bbc757a CP	15	type postgresql_etc_t;
9bbc757a CP	16	files_config_file(postgresql_etc_t)
a1fcff33 CP	17
	18	type postgresql_lock_t;
	19	files_lock_file(postgresql_lock_t)
	20
	21	type postgresql_log_t;
	22	logging_log_file(postgresql_log_t)
	23
	24	type postgresql_tmp_t;
	25	files_tmp_file(postgresql_tmp_t)
	26
	27	type postgresql_var_run_t;
	28	files_pid_file(postgresql_var_run_t)
	29
	30	########################################
	31	#
	32	# postgresql Local policy
	33	#
	34	allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config sys_admin };
165b42d2	35	dontaudit postgresql_t self:capability { sys_tty_config sys_admin };
57d8e6c7	36	allow postgresql_t self:process signal_perms;
a1fcff33 CP	37	allow postgresql_t self:fifo_file { getattr read write ioctl };
	38	allow postgresql_t self:file { getattr read };
	39	allow postgresql_t self:sem create_sem_perms;
	40	allow postgresql_t self:shm create_shm_perms;
	41	allow postgresql_t self:tcp_socket create_stream_socket_perms;
	42	allow postgresql_t self:udp_socket create_stream_socket_perms;
	43	allow postgresql_t self:unix_dgram_socket create_socket_perms;
	44	allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
165b42d2	45	allow postgresql_t self:netlink_route_socket r_netlink_socket_perms;
a1fcff33	46
c0868a7a CP	47	manage_dirs_pattern(postgresql_t,postgresql_db_t,postgresql_db_t)
	48	manage_files_pattern(postgresql_t,postgresql_db_t,postgresql_db_t)
	49	manage_lnk_files_pattern(postgresql_t,postgresql_db_t,postgresql_db_t)
	50	manage_fifo_files_pattern(postgresql_t,postgresql_db_t,postgresql_db_t)
	51	manage_sock_files_pattern(postgresql_t,postgresql_db_t,postgresql_db_t)
103fe280	52	files_var_lib_filetrans(postgresql_t, postgresql_db_t, { dir file lnk_file sock_file fifo_file })
a1fcff33	53
c0868a7a CP	54	allow postgresql_t postgresql_etc_t:dir list_dir_perms;
	55	read_files_pattern(postgresql_t,postgresql_etc_t,postgresql_etc_t)
	56	read_lnk_files_pattern(postgresql_t,postgresql_etc_t,postgresql_etc_t)
a1fcff33 CP	57
	58	allow postgresql_t postgresql_exec_t:lnk_file { getattr read };
	59	can_exec(postgresql_t, postgresql_exec_t )
	60
c0868a7a	61	allow postgresql_t postgresql_lock_t:file manage_file_perms;
1c1ac67f	62	files_lock_filetrans(postgresql_t,postgresql_lock_t,file)
a1fcff33	63
c0868a7a	64	manage_files_pattern(postgresql_t,postgresql_log_t,postgresql_log_t)
103fe280	65	logging_log_filetrans(postgresql_t,postgresql_log_t,{ file dir })
a1fcff33	66
c0868a7a CP	67	manage_dirs_pattern(postgresql_t,postgresql_tmp_t,postgresql_tmp_t)
	68	manage_files_pattern(postgresql_t,postgresql_tmp_t,postgresql_tmp_t)
	69	manage_lnk_files_pattern(postgresql_t,postgresql_tmp_t,postgresql_tmp_t)
	70	manage_fifo_files_pattern(postgresql_t,postgresql_tmp_t,postgresql_tmp_t)
	71	manage_sock_files_pattern(postgresql_t,postgresql_tmp_t,postgresql_tmp_t)
103fe280 CP	72	files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file })
103fe280 CP	73	fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file })
a1fcff33	74
c0868a7a CP	75	manage_files_pattern(postgresql_t,postgresql_var_run_t,postgresql_var_run_t)
c0868a7a CP	76	manage_sock_files_pattern(postgresql_t,postgresql_var_run_t,postgresql_var_run_t)
1c1ac67f	77	files_pid_filetrans(postgresql_t,postgresql_var_run_t,file)
a1fcff33	78
445522dc	79	kernel_read_kernel_sysctls(postgresql_t)
a1fcff33 CP	80	kernel_read_system_state(postgresql_t)
a1fcff33 CP	81	kernel_list_proc(postgresql_t)
445522dc	82	kernel_read_all_sysctls(postgresql_t)
a1fcff33	83	kernel_read_proc_symlinks(postgresql_t)
a1fcff33	84
19006686 CP	85	corenet_all_recvfrom_unlabeled(postgresql_t)
19006686 CP	86	corenet_all_recvfrom_netlabel(postgresql_t)
a1fcff33 CP	87	corenet_tcp_sendrecv_all_if(postgresql_t)
a1fcff33 CP	88	corenet_udp_sendrecv_all_if(postgresql_t)
a1fcff33 CP	89	corenet_tcp_sendrecv_all_nodes(postgresql_t)
a1fcff33 CP	90	corenet_udp_sendrecv_all_nodes(postgresql_t)
a1fcff33 CP	91	corenet_tcp_sendrecv_all_ports(postgresql_t)
	92	corenet_udp_sendrecv_all_ports(postgresql_t)
	93	corenet_tcp_bind_all_nodes(postgresql_t)
a1fcff33 CP	94	corenet_tcp_bind_postgresql_port(postgresql_t)
a1fcff33 CP	95	corenet_tcp_connect_auth_port(postgresql_t)
141cffdd CP	96	corenet_sendrecv_postgresql_server_packets(postgresql_t)
141cffdd CP	97	corenet_sendrecv_auth_client_packets(postgresql_t)
a1fcff33 CP	98
	99	dev_read_sysfs(postgresql_t)
	100	dev_read_urand(postgresql_t)
	101
	102	fs_getattr_all_fs(postgresql_t)
	103	fs_search_auto_mountpoints(postgresql_t)
	104
	105	term_use_controlling_term(postgresql_t)
a1fcff33 CP	106
a1fcff33 CP	107	corecmd_exec_bin(postgresql_t)
a1fcff33 CP	108	corecmd_exec_shell(postgresql_t)
a1fcff33 CP	109
1815bad1	110	domain_dontaudit_list_all_domains_state(postgresql_t)
15722ec9	111	domain_use_interactive_fds(postgresql_t)
a1fcff33 CP	112
	113	files_dontaudit_search_home(postgresql_t)
	114	files_manage_etc_files(postgresql_t)
	115	files_search_etc(postgresql_t)
	116	files_read_etc_runtime_files(postgresql_t)
	117	files_read_usr_files(postgresql_t)
	118
68228b33	119	init_read_utmp(postgresql_t)
a1fcff33 CP	120
	121	libs_use_ld_so(postgresql_t)
	122	libs_use_shared_libs(postgresql_t)
	123
	124	logging_send_syslog_msg(postgresql_t)
	125
	126	miscfiles_read_localization(postgresql_t)
	127
	128	seutil_dontaudit_search_config(postgresql_t)
	129
	130	sysnet_read_config(postgresql_t)
a5e2133b	131	sysnet_use_ldap(postgresql_t)
a1fcff33	132
103fe280	133	userdom_dontaudit_search_sysadm_home_dirs(postgresql_t)
1815bad1	134	userdom_dontaudit_use_sysadm_ttys(postgresql_t)
15722ec9	135	userdom_dontaudit_use_unpriv_user_fds(postgresql_t)
a1fcff33 CP	136
	137	mta_getattr_spool(postgresql_t)
	138
a1fcff33 CP	139	tunable_policy(`allow_execmem',`
	140	allow postgresql_t self:process execmem;
	141	')
	142
bb7170f6	143	optional_policy(`
a1fcff33 CP	144	consoletype_exec(postgresql_t)
	145	')
	146
bb7170f6	147	optional_policy(`
a1fcff33 CP	148	cron_search_spool(postgresql_t)
	149	cron_system_entry(postgresql_t,postgresql_exec_t)
	150	')
	151
bb7170f6	152	optional_policy(`
a1fcff33 CP	153	hostname_exec(postgresql_t)
	154	')
	155
bb7170f6	156	optional_policy(`
a1fcff33 CP	157	kerberos_use(postgresql_t)
	158	')
	159
bb7170f6	160	optional_policy(`
a1fcff33 CP	161	nis_use_ypbind(postgresql_t)
	162	')
	163
bb7170f6	164	optional_policy(`
a1fcff33 CP	165	seutil_sigchld_newrole(postgresql_t)
	166	')
	167
bb7170f6	168	optional_policy(`
a1fcff33 CP	169	udev_read_db(postgresql_t)
a1fcff33 CP	170	')