[people/stevee/selinux-policy.git] / refpolicy / policy / modules / services / postgresql.te


policy_module(postgresql,1.0)

#################################
#
# Declarations
#
type postgresql_t;
type postgresql_exec_t;
init_daemon_domain(postgresql_t,postgresql_exec_t)

type postgresql_db_t;
files_type(postgresql_db_t)

type postgresql_etc_t; #, usercanread;
files_type(postgresql_etc_t)

type postgresql_lock_t;
files_lock_file(postgresql_lock_t)

type postgresql_log_t;
logging_log_file(postgresql_log_t)

type postgresql_tmp_t;
files_tmp_file(postgresql_tmp_t)

type postgresql_var_run_t;
files_pid_file(postgresql_var_run_t)

########################################
#
# postgresql Local policy
#
allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config sys_admin };
allow postgresql_t self:process signal_perms;
allow postgresql_t self:fifo_file { getattr read write ioctl };
allow postgresql_t self:file { getattr read };
allow postgresql_t self:sem create_sem_perms;
allow postgresql_t self:shm create_shm_perms;
allow postgresql_t self:tcp_socket create_stream_socket_perms;
allow postgresql_t self:udp_socket create_stream_socket_perms;
allow postgresql_t self:unix_dgram_socket create_socket_perms;
allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
dontaudit postgresql_t self:capability { sys_tty_config sys_admin };

allow postgresql_t postgresql_db_t:dir create_dir_perms;
allow postgresql_t postgresql_db_t:fifo_file create_file_perms;
allow postgresql_t postgresql_db_t:file create_file_perms;
allow postgresql_t postgresql_db_t:lnk_file create_lnk_perms;
allow postgresql_t postgresql_db_t:sock_file create_file_perms;
files_create_var_lib(postgresql_t, postgresql_db_t, { dir file lnk_file sock_file fifo_file })

allow postgresql_t postgresql_etc_t:dir r_dir_perms;
allow postgresql_t postgresql_etc_t:file r_file_perms;
allow postgresql_t postgresql_etc_t:lnk_file { getattr read };

allow postgresql_t postgresql_exec_t:lnk_file { getattr read };
can_exec(postgresql_t, postgresql_exec_t )

allow postgresql_t postgresql_lock_t:file create_file_perms;
files_create_lock(postgresql_t,postgresql_lock_t)

allow postgresql_t postgresql_log_t:dir rw_dir_perms;
allow postgresql_t postgresql_log_t:file create_file_perms;
logging_create_log(postgresql_t,postgresql_log_t,{ file dir })

allow postgresql_t postgresql_tmp_t:dir create_dir_perms;
allow postgresql_t postgresql_tmp_t:fifo_file create_file_perms;
allow postgresql_t postgresql_tmp_t:file create_file_perms;
allow postgresql_t postgresql_tmp_t:lnk_file create_lnk_perms;
allow postgresql_t postgresql_tmp_t:sock_file create_file_perms;
files_create_tmp_files(postgresql_t, postgresql_tmp_t, { dir file sock_file })
fs_create_tmpfs_data(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file })

allow postgresql_t postgresql_var_run_t:dir rw_dir_perms;
allow postgresql_t postgresql_var_run_t:file create_file_perms;
allow postgresql_t postgresql_var_run_t:sock_file create_file_perms;
files_create_pid(postgresql_t,postgresql_var_run_t)

kernel_read_kernel_sysctl(postgresql_t)
kernel_read_system_state(postgresql_t)
kernel_list_proc(postgresql_t)
kernel_read_all_sysctl(postgresql_t)
kernel_read_proc_symlinks(postgresql_t)
kernel_tcp_recvfrom(postgresql_t)

corenet_tcp_sendrecv_all_if(postgresql_t)
corenet_udp_sendrecv_all_if(postgresql_t)
corenet_raw_sendrecv_all_if(postgresql_t)
corenet_tcp_sendrecv_all_nodes(postgresql_t)
corenet_udp_sendrecv_all_nodes(postgresql_t)
corenet_raw_sendrecv_all_nodes(postgresql_t)
corenet_tcp_sendrecv_all_ports(postgresql_t)
corenet_udp_sendrecv_all_ports(postgresql_t)
corenet_tcp_bind_all_nodes(postgresql_t)
corenet_udp_bind_all_nodes(postgresql_t)
corenet_tcp_bind_postgresql_port(postgresql_t)
corenet_tcp_connect_auth_port(postgresql_t)

dev_read_sysfs(postgresql_t)
dev_read_urand(postgresql_t)

fs_getattr_all_fs(postgresql_t)
fs_search_auto_mountpoints(postgresql_t)

term_use_controlling_term(postgresql_t)
term_dontaudit_use_console(postgresql_t)

corecmd_exec_bin(postgresql_t)
corecmd_exec_ls(postgresql_t)
corecmd_exec_sbin(postgresql_t)
corecmd_exec_shell(postgresql_t)

domain_dontaudit_list_all_domains_proc(postgresql_t)
domain_use_wide_inherit_fd(postgresql_t)

files_dontaudit_search_home(postgresql_t)
files_manage_etc_files(postgresql_t)
files_search_etc(postgresql_t)
files_read_etc_runtime_files(postgresql_t)
files_read_usr_files(postgresql_t)

init_read_script_pid(postgresql_t)
init_use_fd(postgresql_t)
init_use_script_pty(postgresql_t)

libs_use_ld_so(postgresql_t)
libs_use_shared_libs(postgresql_t)

logging_send_syslog_msg(postgresql_t)

miscfiles_read_localization(postgresql_t)

seutil_dontaudit_search_config(postgresql_t)

sysnet_read_config(postgresql_t)

userdom_dontaudit_search_sysadm_home_dir(postgresql_t)
userdom_dontaudit_use_sysadm_tty(postgresql_t)
userdom_dontaudit_use_unpriv_user_fd(postgresql_t)

mta_getattr_spool(postgresql_t)

ifdef(`targeted_policy', `
	files_dontaudit_read_root_file(postgresql_t)
	term_dontaudit_use_generic_pty(postgresql_t)
	term_dontaudit_use_unallocated_tty(postgresql_t)
')

tunable_policy(`allow_execmem',`
	allow postgresql_t self:process execmem;
')

optional_policy(`consoletype.te', `
	consoletype_exec(postgresql_t)
')

optional_policy(`cron.te',`
	cron_search_spool(postgresql_t)
	cron_system_entry(postgresql_t,postgresql_exec_t)
')

optional_policy(`hostname.te', `
	hostname_exec(postgresql_t)
')

optional_policy(`kerberos.te',`
	kerberos_use(postgresql_t)
')

optional_policy(`mount.te',`
	mount_send_nfs_client_request(postgresql_t)
')

optional_policy(`nis.te',`
	nis_use_ypbind(postgresql_t)
')

optional_policy(`selinuxutil.te',`
	seutil_sigchld_newrole(postgresql_t)
')

optional_policy(`udev.te', `
	udev_read_db(postgresql_t)
')

ifdef(`TODO',`
optional_policy(`rhgb.te',`
	rhgb_domain(postgresql_t)
')
ifdef(`targeted_policy', `', `
bool allow_user_postgresql_connect false;

if (allow_user_postgresql_connect) {
# allow any user domain to connect to the database server
can_tcp_connect(userdomain, postgresql_t)
allow userdomain postgresql_t:unix_stream_socket connectto;
allow userdomain postgresql_var_run_t:sock_file write;
allow userdomain postgresql_tmp_t:sock_file write;
}
')
ifdef(`distro_debian', `
	init_exec_script(postgresql_t)
	# gross hack
	postgresql_domtrans(dpkg_t)
	can_exec(postgresql_t, dpkg_exec_t)
')

ifdef(`distro_gentoo', `
	allow postgresql_t initrc_su_t:process { sigchld };
	# "su - postgres ..." is called from initrc_t
	postgresql_search_db_dir(initrc_su_t)
	dontaudit initrc_su_t sysadm_devpts_t:chr_file rw_file_perms;
')

# Goes to apache.te:
# Allow httpd to work with postgresql
optional_policy(`postgresql.te', ` 
	# Original policy had apache connecting to postgresql_tmp_t:sock_file
	# instead of what is assumed to be correct: postgresql_var_run_t. -Don
	postgresql_unix_connect(httpd_t)
')
')
Commit	Line	Data
a1fcff33 CP	1
	2	policy_module(postgresql,1.0)
	3
	4	#################################
	5	#
	6	# Declarations
	7	#
	8	type postgresql_t;
	9	type postgresql_exec_t;
	10	init_daemon_domain(postgresql_t,postgresql_exec_t)
	11
	12	type postgresql_db_t;
	13	files_type(postgresql_db_t)
	14
	15	type postgresql_etc_t; #, usercanread;
	16	files_type(postgresql_etc_t)
	17
	18	type postgresql_lock_t;
	19	files_lock_file(postgresql_lock_t)
	20
	21	type postgresql_log_t;
	22	logging_log_file(postgresql_log_t)
	23
	24	type postgresql_tmp_t;
	25	files_tmp_file(postgresql_tmp_t)
	26
	27	type postgresql_var_run_t;
	28	files_pid_file(postgresql_var_run_t)
	29
	30	########################################
	31	#
	32	# postgresql Local policy
	33	#
	34	allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config sys_admin };
57d8e6c7	35	allow postgresql_t self:process signal_perms;
a1fcff33 CP	36	allow postgresql_t self:fifo_file { getattr read write ioctl };
	37	allow postgresql_t self:file { getattr read };
	38	allow postgresql_t self:sem create_sem_perms;
	39	allow postgresql_t self:shm create_shm_perms;
	40	allow postgresql_t self:tcp_socket create_stream_socket_perms;
	41	allow postgresql_t self:udp_socket create_stream_socket_perms;
	42	allow postgresql_t self:unix_dgram_socket create_socket_perms;
	43	allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
	44	dontaudit postgresql_t self:capability { sys_tty_config sys_admin };
	45
	46	allow postgresql_t postgresql_db_t:dir create_dir_perms;
	47	allow postgresql_t postgresql_db_t:fifo_file create_file_perms;
	48	allow postgresql_t postgresql_db_t:file create_file_perms;
	49	allow postgresql_t postgresql_db_t:lnk_file create_lnk_perms;
	50	allow postgresql_t postgresql_db_t:sock_file create_file_perms;
	51	files_create_var_lib(postgresql_t, postgresql_db_t, { dir file lnk_file sock_file fifo_file })
	52
	53	allow postgresql_t postgresql_etc_t:dir r_dir_perms;
	54	allow postgresql_t postgresql_etc_t:file r_file_perms;
	55	allow postgresql_t postgresql_etc_t:lnk_file { getattr read };
	56
	57	allow postgresql_t postgresql_exec_t:lnk_file { getattr read };
	58	can_exec(postgresql_t, postgresql_exec_t )
	59
	60	allow postgresql_t postgresql_lock_t:file create_file_perms;
	61	files_create_lock(postgresql_t,postgresql_lock_t)
	62
	63	allow postgresql_t postgresql_log_t:dir rw_dir_perms;
	64	allow postgresql_t postgresql_log_t:file create_file_perms;
	65	logging_create_log(postgresql_t,postgresql_log_t,{ file dir })
	66
	67	allow postgresql_t postgresql_tmp_t:dir create_dir_perms;
	68	allow postgresql_t postgresql_tmp_t:fifo_file create_file_perms;
	69	allow postgresql_t postgresql_tmp_t:file create_file_perms;
	70	allow postgresql_t postgresql_tmp_t:lnk_file create_lnk_perms;
	71	allow postgresql_t postgresql_tmp_t:sock_file create_file_perms;
	72	files_create_tmp_files(postgresql_t, postgresql_tmp_t, { dir file sock_file })
	73	fs_create_tmpfs_data(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file })
	74
	75	allow postgresql_t postgresql_var_run_t:dir rw_dir_perms;
	76	allow postgresql_t postgresql_var_run_t:file create_file_perms;
	77	allow postgresql_t postgresql_var_run_t:sock_file create_file_perms;
	78	files_create_pid(postgresql_t,postgresql_var_run_t)
	79
	80	kernel_read_kernel_sysctl(postgresql_t)
	81	kernel_read_system_state(postgresql_t)
	82	kernel_list_proc(postgresql_t)
	83	kernel_read_all_sysctl(postgresql_t)
	84	kernel_read_proc_symlinks(postgresql_t)
	85	kernel_tcp_recvfrom(postgresql_t)
	86
	87	corenet_tcp_sendrecv_all_if(postgresql_t)
	88	corenet_udp_sendrecv_all_if(postgresql_t)
	89	corenet_raw_sendrecv_all_if(postgresql_t)
	90	corenet_tcp_sendrecv_all_nodes(postgresql_t)
	91	corenet_udp_sendrecv_all_nodes(postgresql_t)
	92	corenet_raw_sendrecv_all_nodes(postgresql_t)
	93	corenet_tcp_sendrecv_all_ports(postgresql_t)
	94	corenet_udp_sendrecv_all_ports(postgresql_t)
	95	corenet_tcp_bind_all_nodes(postgresql_t)
	96	corenet_udp_bind_all_nodes(postgresql_t)
	97	corenet_tcp_bind_postgresql_port(postgresql_t)
	98	corenet_tcp_connect_auth_port(postgresql_t)
	99
100	dev_read_sysfs(postgresql_t)
101	dev_read_urand(postgresql_t)
102
103	fs_getattr_all_fs(postgresql_t)
104	fs_search_auto_mountpoints(postgresql_t)
105
106	term_use_controlling_term(postgresql_t)
107	term_dontaudit_use_console(postgresql_t)
108
109	corecmd_exec_bin(postgresql_t)
110	corecmd_exec_ls(postgresql_t)
111	corecmd_exec_sbin(postgresql_t)
112	corecmd_exec_shell(postgresql_t)
113
114	domain_dontaudit_list_all_domains_proc(postgresql_t)
115	domain_use_wide_inherit_fd(postgresql_t)
116
117	files_dontaudit_search_home(postgresql_t)
118	files_manage_etc_files(postgresql_t)
119	files_search_etc(postgresql_t)
120	files_read_etc_runtime_files(postgresql_t)
121	files_read_usr_files(postgresql_t)
122
123	init_read_script_pid(postgresql_t)
124	init_use_fd(postgresql_t)
125	init_use_script_pty(postgresql_t)
126
127	libs_use_ld_so(postgresql_t)
128	libs_use_shared_libs(postgresql_t)
129
130	logging_send_syslog_msg(postgresql_t)
131
132	miscfiles_read_localization(postgresql_t)
133
134	seutil_dontaudit_search_config(postgresql_t)
135
136	sysnet_read_config(postgresql_t)
137
138	userdom_dontaudit_search_sysadm_home_dir(postgresql_t)
139	userdom_dontaudit_use_sysadm_tty(postgresql_t)
140	userdom_dontaudit_use_unpriv_user_fd(postgresql_t)
141
142	mta_getattr_spool(postgresql_t)
143
144	ifdef(`targeted_policy', `
145	files_dontaudit_read_root_file(postgresql_t)
146	term_dontaudit_use_generic_pty(postgresql_t)
147	term_dontaudit_use_unallocated_tty(postgresql_t)
148	')
149
150	tunable_policy(`allow_execmem',`
151	allow postgresql_t self:process execmem;
152	')
153
154	optional_policy(`consoletype.te', `
155	consoletype_exec(postgresql_t)
156	')
157
158	optional_policy(`cron.te',`
159	cron_search_spool(postgresql_t)
160	cron_system_entry(postgresql_t,postgresql_exec_t)
161	')
162
163	optional_policy(`hostname.te', `
164	hostname_exec(postgresql_t)
165	')
166
167	optional_policy(`kerberos.te',`
168	kerberos_use(postgresql_t)
169	')
170
171	optional_policy(`mount.te',`
172	mount_send_nfs_client_request(postgresql_t)
173	')
174
175	optional_policy(`nis.te',`
176	nis_use_ypbind(postgresql_t)
177	')
178
a1fcff33 CP	179	optional_policy(`selinuxutil.te',`
	180	seutil_sigchld_newrole(postgresql_t)
	181	')
	182
	183	optional_policy(`udev.te', `
	184	udev_read_db(postgresql_t)
	185	')
	186
	187	ifdef(`TODO',`
25c67461 CP	188	optional_policy(`rhgb.te',`
	189	rhgb_domain(postgresql_t)
	190	')
a1fcff33 CP	191	ifdef(`targeted_policy', `', `
	192	bool allow_user_postgresql_connect false;
	193
	194	if (allow_user_postgresql_connect) {
	195	# allow any user domain to connect to the database server
	196	can_tcp_connect(userdomain, postgresql_t)
	197	allow userdomain postgresql_t:unix_stream_socket connectto;
	198	allow userdomain postgresql_var_run_t:sock_file write;
	199	allow userdomain postgresql_tmp_t:sock_file write;
	200	}
	201	')
	202	ifdef(`distro_debian', `
	203	init_exec_script(postgresql_t)
	204	# gross hack
	205	postgresql_domtrans(dpkg_t)
	206	can_exec(postgresql_t, dpkg_exec_t)
	207	')
	208
	209	ifdef(`distro_gentoo', `
	210	allow postgresql_t initrc_su_t:process { sigchld };
	211	# "su - postgres ..." is called from initrc_t
	212	postgresql_search_db_dir(initrc_su_t)
	213	dontaudit initrc_su_t sysadm_devpts_t:chr_file rw_file_perms;
	214	')
	215
	216	# Goes to apache.te:
	217	# Allow httpd to work with postgresql
	218	optional_policy(`postgresql.te', `
	219	# Original policy had apache connecting to postgresql_tmp_t:sock_file
	220	# instead of what is assumed to be correct: postgresql_var_run_t. -Don
	221	postgresql_unix_connect(httpd_t)
	222	')
	223	')