]>
Commit | Line | Data |
---|---|---|
a1fcff33 | 1 | |
12e9ea1a | 2 | policy_module(postgresql,1.4.1) |
a1fcff33 CP |
3 | |
4 | ################################# | |
5 | # | |
6 | # Declarations | |
7 | # | |
8 | type postgresql_t; | |
9 | type postgresql_exec_t; | |
10 | init_daemon_domain(postgresql_t,postgresql_exec_t) | |
11 | ||
12 | type postgresql_db_t; | |
13 | files_type(postgresql_db_t) | |
14 | ||
9bbc757a CP |
15 | type postgresql_etc_t; |
16 | files_config_file(postgresql_etc_t) | |
a1fcff33 CP |
17 | |
18 | type postgresql_lock_t; | |
19 | files_lock_file(postgresql_lock_t) | |
20 | ||
21 | type postgresql_log_t; | |
22 | logging_log_file(postgresql_log_t) | |
23 | ||
24 | type postgresql_tmp_t; | |
25 | files_tmp_file(postgresql_tmp_t) | |
26 | ||
27 | type postgresql_var_run_t; | |
28 | files_pid_file(postgresql_var_run_t) | |
29 | ||
30 | ######################################## | |
31 | # | |
32 | # postgresql Local policy | |
33 | # | |
34 | allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config sys_admin }; | |
165b42d2 | 35 | dontaudit postgresql_t self:capability { sys_tty_config sys_admin }; |
57d8e6c7 | 36 | allow postgresql_t self:process signal_perms; |
a1fcff33 CP |
37 | allow postgresql_t self:fifo_file { getattr read write ioctl }; |
38 | allow postgresql_t self:file { getattr read }; | |
39 | allow postgresql_t self:sem create_sem_perms; | |
40 | allow postgresql_t self:shm create_shm_perms; | |
41 | allow postgresql_t self:tcp_socket create_stream_socket_perms; | |
42 | allow postgresql_t self:udp_socket create_stream_socket_perms; | |
43 | allow postgresql_t self:unix_dgram_socket create_socket_perms; | |
44 | allow postgresql_t self:unix_stream_socket create_stream_socket_perms; | |
165b42d2 | 45 | allow postgresql_t self:netlink_route_socket r_netlink_socket_perms; |
a1fcff33 | 46 | |
c0868a7a CP |
47 | manage_dirs_pattern(postgresql_t,postgresql_db_t,postgresql_db_t) |
48 | manage_files_pattern(postgresql_t,postgresql_db_t,postgresql_db_t) | |
49 | manage_lnk_files_pattern(postgresql_t,postgresql_db_t,postgresql_db_t) | |
50 | manage_fifo_files_pattern(postgresql_t,postgresql_db_t,postgresql_db_t) | |
51 | manage_sock_files_pattern(postgresql_t,postgresql_db_t,postgresql_db_t) | |
103fe280 | 52 | files_var_lib_filetrans(postgresql_t, postgresql_db_t, { dir file lnk_file sock_file fifo_file }) |
a1fcff33 | 53 | |
c0868a7a CP |
54 | allow postgresql_t postgresql_etc_t:dir list_dir_perms; |
55 | read_files_pattern(postgresql_t,postgresql_etc_t,postgresql_etc_t) | |
56 | read_lnk_files_pattern(postgresql_t,postgresql_etc_t,postgresql_etc_t) | |
a1fcff33 CP |
57 | |
58 | allow postgresql_t postgresql_exec_t:lnk_file { getattr read }; | |
59 | can_exec(postgresql_t, postgresql_exec_t ) | |
60 | ||
c0868a7a | 61 | allow postgresql_t postgresql_lock_t:file manage_file_perms; |
1c1ac67f | 62 | files_lock_filetrans(postgresql_t,postgresql_lock_t,file) |
a1fcff33 | 63 | |
c0868a7a | 64 | manage_files_pattern(postgresql_t,postgresql_log_t,postgresql_log_t) |
103fe280 | 65 | logging_log_filetrans(postgresql_t,postgresql_log_t,{ file dir }) |
a1fcff33 | 66 | |
c0868a7a CP |
67 | manage_dirs_pattern(postgresql_t,postgresql_tmp_t,postgresql_tmp_t) |
68 | manage_files_pattern(postgresql_t,postgresql_tmp_t,postgresql_tmp_t) | |
69 | manage_lnk_files_pattern(postgresql_t,postgresql_tmp_t,postgresql_tmp_t) | |
70 | manage_fifo_files_pattern(postgresql_t,postgresql_tmp_t,postgresql_tmp_t) | |
71 | manage_sock_files_pattern(postgresql_t,postgresql_tmp_t,postgresql_tmp_t) | |
103fe280 CP |
72 | files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file }) |
73 | fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file }) | |
a1fcff33 | 74 | |
c0868a7a CP |
75 | manage_files_pattern(postgresql_t,postgresql_var_run_t,postgresql_var_run_t) |
76 | manage_sock_files_pattern(postgresql_t,postgresql_var_run_t,postgresql_var_run_t) | |
1c1ac67f | 77 | files_pid_filetrans(postgresql_t,postgresql_var_run_t,file) |
a1fcff33 | 78 | |
445522dc | 79 | kernel_read_kernel_sysctls(postgresql_t) |
a1fcff33 CP |
80 | kernel_read_system_state(postgresql_t) |
81 | kernel_list_proc(postgresql_t) | |
445522dc | 82 | kernel_read_all_sysctls(postgresql_t) |
a1fcff33 | 83 | kernel_read_proc_symlinks(postgresql_t) |
a1fcff33 | 84 | |
19006686 CP |
85 | corenet_all_recvfrom_unlabeled(postgresql_t) |
86 | corenet_all_recvfrom_netlabel(postgresql_t) | |
a1fcff33 CP |
87 | corenet_tcp_sendrecv_all_if(postgresql_t) |
88 | corenet_udp_sendrecv_all_if(postgresql_t) | |
a1fcff33 CP |
89 | corenet_tcp_sendrecv_all_nodes(postgresql_t) |
90 | corenet_udp_sendrecv_all_nodes(postgresql_t) | |
a1fcff33 CP |
91 | corenet_tcp_sendrecv_all_ports(postgresql_t) |
92 | corenet_udp_sendrecv_all_ports(postgresql_t) | |
93 | corenet_tcp_bind_all_nodes(postgresql_t) | |
a1fcff33 CP |
94 | corenet_tcp_bind_postgresql_port(postgresql_t) |
95 | corenet_tcp_connect_auth_port(postgresql_t) | |
141cffdd CP |
96 | corenet_sendrecv_postgresql_server_packets(postgresql_t) |
97 | corenet_sendrecv_auth_client_packets(postgresql_t) | |
a1fcff33 CP |
98 | |
99 | dev_read_sysfs(postgresql_t) | |
100 | dev_read_urand(postgresql_t) | |
101 | ||
102 | fs_getattr_all_fs(postgresql_t) | |
103 | fs_search_auto_mountpoints(postgresql_t) | |
104 | ||
105 | term_use_controlling_term(postgresql_t) | |
a1fcff33 CP |
106 | |
107 | corecmd_exec_bin(postgresql_t) | |
a1fcff33 CP |
108 | corecmd_exec_shell(postgresql_t) |
109 | ||
1815bad1 | 110 | domain_dontaudit_list_all_domains_state(postgresql_t) |
15722ec9 | 111 | domain_use_interactive_fds(postgresql_t) |
a1fcff33 CP |
112 | |
113 | files_dontaudit_search_home(postgresql_t) | |
114 | files_manage_etc_files(postgresql_t) | |
115 | files_search_etc(postgresql_t) | |
116 | files_read_etc_runtime_files(postgresql_t) | |
117 | files_read_usr_files(postgresql_t) | |
118 | ||
68228b33 | 119 | init_read_utmp(postgresql_t) |
a1fcff33 CP |
120 | |
121 | libs_use_ld_so(postgresql_t) | |
122 | libs_use_shared_libs(postgresql_t) | |
123 | ||
124 | logging_send_syslog_msg(postgresql_t) | |
125 | ||
126 | miscfiles_read_localization(postgresql_t) | |
127 | ||
128 | seutil_dontaudit_search_config(postgresql_t) | |
129 | ||
130 | sysnet_read_config(postgresql_t) | |
a5e2133b | 131 | sysnet_use_ldap(postgresql_t) |
a1fcff33 | 132 | |
103fe280 | 133 | userdom_dontaudit_search_sysadm_home_dirs(postgresql_t) |
1815bad1 | 134 | userdom_dontaudit_use_sysadm_ttys(postgresql_t) |
15722ec9 | 135 | userdom_dontaudit_use_unpriv_user_fds(postgresql_t) |
a1fcff33 CP |
136 | |
137 | mta_getattr_spool(postgresql_t) | |
138 | ||
a1fcff33 CP |
139 | tunable_policy(`allow_execmem',` |
140 | allow postgresql_t self:process execmem; | |
141 | ') | |
142 | ||
bb7170f6 | 143 | optional_policy(` |
a1fcff33 CP |
144 | consoletype_exec(postgresql_t) |
145 | ') | |
146 | ||
bb7170f6 | 147 | optional_policy(` |
a1fcff33 CP |
148 | cron_search_spool(postgresql_t) |
149 | cron_system_entry(postgresql_t,postgresql_exec_t) | |
150 | ') | |
151 | ||
bb7170f6 | 152 | optional_policy(` |
a1fcff33 CP |
153 | hostname_exec(postgresql_t) |
154 | ') | |
155 | ||
bb7170f6 | 156 | optional_policy(` |
a1fcff33 CP |
157 | kerberos_use(postgresql_t) |
158 | ') | |
159 | ||
bb7170f6 | 160 | optional_policy(` |
a1fcff33 CP |
161 | nis_use_ypbind(postgresql_t) |
162 | ') | |
163 | ||
bb7170f6 | 164 | optional_policy(` |
a1fcff33 CP |
165 | seutil_sigchld_newrole(postgresql_t) |
166 | ') | |
167 | ||
bb7170f6 | 168 | optional_policy(` |
a1fcff33 CP |
169 | udev_read_db(postgresql_t) |
170 | ') |