]>
Commit | Line | Data |
---|---|---|
a1fcff33 | 1 | |
5ea24be9 | 2 | policy_module(postgresql,1.1.0) |
a1fcff33 CP |
3 | |
4 | ################################# | |
5 | # | |
6 | # Declarations | |
7 | # | |
8 | type postgresql_t; | |
9 | type postgresql_exec_t; | |
10 | init_daemon_domain(postgresql_t,postgresql_exec_t) | |
11 | ||
12 | type postgresql_db_t; | |
13 | files_type(postgresql_db_t) | |
14 | ||
9bbc757a CP |
15 | type postgresql_etc_t; |
16 | files_config_file(postgresql_etc_t) | |
a1fcff33 CP |
17 | |
18 | type postgresql_lock_t; | |
19 | files_lock_file(postgresql_lock_t) | |
20 | ||
21 | type postgresql_log_t; | |
22 | logging_log_file(postgresql_log_t) | |
23 | ||
24 | type postgresql_tmp_t; | |
25 | files_tmp_file(postgresql_tmp_t) | |
26 | ||
27 | type postgresql_var_run_t; | |
28 | files_pid_file(postgresql_var_run_t) | |
29 | ||
30 | ######################################## | |
31 | # | |
32 | # postgresql Local policy | |
33 | # | |
34 | allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config sys_admin }; | |
57d8e6c7 | 35 | allow postgresql_t self:process signal_perms; |
a1fcff33 CP |
36 | allow postgresql_t self:fifo_file { getattr read write ioctl }; |
37 | allow postgresql_t self:file { getattr read }; | |
38 | allow postgresql_t self:sem create_sem_perms; | |
39 | allow postgresql_t self:shm create_shm_perms; | |
40 | allow postgresql_t self:tcp_socket create_stream_socket_perms; | |
41 | allow postgresql_t self:udp_socket create_stream_socket_perms; | |
42 | allow postgresql_t self:unix_dgram_socket create_socket_perms; | |
43 | allow postgresql_t self:unix_stream_socket create_stream_socket_perms; | |
44 | dontaudit postgresql_t self:capability { sys_tty_config sys_admin }; | |
45 | ||
46 | allow postgresql_t postgresql_db_t:dir create_dir_perms; | |
47 | allow postgresql_t postgresql_db_t:fifo_file create_file_perms; | |
48 | allow postgresql_t postgresql_db_t:file create_file_perms; | |
49 | allow postgresql_t postgresql_db_t:lnk_file create_lnk_perms; | |
50 | allow postgresql_t postgresql_db_t:sock_file create_file_perms; | |
103fe280 | 51 | files_var_lib_filetrans(postgresql_t, postgresql_db_t, { dir file lnk_file sock_file fifo_file }) |
a1fcff33 CP |
52 | |
53 | allow postgresql_t postgresql_etc_t:dir r_dir_perms; | |
54 | allow postgresql_t postgresql_etc_t:file r_file_perms; | |
55 | allow postgresql_t postgresql_etc_t:lnk_file { getattr read }; | |
56 | ||
57 | allow postgresql_t postgresql_exec_t:lnk_file { getattr read }; | |
58 | can_exec(postgresql_t, postgresql_exec_t ) | |
59 | ||
60 | allow postgresql_t postgresql_lock_t:file create_file_perms; | |
1c1ac67f | 61 | files_lock_filetrans(postgresql_t,postgresql_lock_t,file) |
a1fcff33 CP |
62 | |
63 | allow postgresql_t postgresql_log_t:dir rw_dir_perms; | |
64 | allow postgresql_t postgresql_log_t:file create_file_perms; | |
103fe280 | 65 | logging_log_filetrans(postgresql_t,postgresql_log_t,{ file dir }) |
a1fcff33 CP |
66 | |
67 | allow postgresql_t postgresql_tmp_t:dir create_dir_perms; | |
68 | allow postgresql_t postgresql_tmp_t:fifo_file create_file_perms; | |
69 | allow postgresql_t postgresql_tmp_t:file create_file_perms; | |
70 | allow postgresql_t postgresql_tmp_t:lnk_file create_lnk_perms; | |
71 | allow postgresql_t postgresql_tmp_t:sock_file create_file_perms; | |
103fe280 CP |
72 | files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file }) |
73 | fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file }) | |
a1fcff33 CP |
74 | |
75 | allow postgresql_t postgresql_var_run_t:dir rw_dir_perms; | |
76 | allow postgresql_t postgresql_var_run_t:file create_file_perms; | |
77 | allow postgresql_t postgresql_var_run_t:sock_file create_file_perms; | |
1c1ac67f | 78 | files_pid_filetrans(postgresql_t,postgresql_var_run_t,file) |
a1fcff33 | 79 | |
445522dc | 80 | kernel_read_kernel_sysctls(postgresql_t) |
a1fcff33 CP |
81 | kernel_read_system_state(postgresql_t) |
82 | kernel_list_proc(postgresql_t) | |
445522dc | 83 | kernel_read_all_sysctls(postgresql_t) |
a1fcff33 CP |
84 | kernel_read_proc_symlinks(postgresql_t) |
85 | kernel_tcp_recvfrom(postgresql_t) | |
86 | ||
87 | corenet_tcp_sendrecv_all_if(postgresql_t) | |
88 | corenet_udp_sendrecv_all_if(postgresql_t) | |
89 | corenet_raw_sendrecv_all_if(postgresql_t) | |
90 | corenet_tcp_sendrecv_all_nodes(postgresql_t) | |
91 | corenet_udp_sendrecv_all_nodes(postgresql_t) | |
92 | corenet_raw_sendrecv_all_nodes(postgresql_t) | |
93 | corenet_tcp_sendrecv_all_ports(postgresql_t) | |
94 | corenet_udp_sendrecv_all_ports(postgresql_t) | |
bd70373d | 95 | corenet_non_ipsec_sendrecv(postgresql_t) |
a1fcff33 CP |
96 | corenet_tcp_bind_all_nodes(postgresql_t) |
97 | corenet_udp_bind_all_nodes(postgresql_t) | |
98 | corenet_tcp_bind_postgresql_port(postgresql_t) | |
99 | corenet_tcp_connect_auth_port(postgresql_t) | |
100 | ||
101 | dev_read_sysfs(postgresql_t) | |
102 | dev_read_urand(postgresql_t) | |
103 | ||
104 | fs_getattr_all_fs(postgresql_t) | |
105 | fs_search_auto_mountpoints(postgresql_t) | |
106 | ||
107 | term_use_controlling_term(postgresql_t) | |
108 | term_dontaudit_use_console(postgresql_t) | |
109 | ||
110 | corecmd_exec_bin(postgresql_t) | |
111 | corecmd_exec_ls(postgresql_t) | |
112 | corecmd_exec_sbin(postgresql_t) | |
113 | corecmd_exec_shell(postgresql_t) | |
114 | ||
1815bad1 | 115 | domain_dontaudit_list_all_domains_state(postgresql_t) |
15722ec9 | 116 | domain_use_interactive_fds(postgresql_t) |
a1fcff33 CP |
117 | |
118 | files_dontaudit_search_home(postgresql_t) | |
119 | files_manage_etc_files(postgresql_t) | |
120 | files_search_etc(postgresql_t) | |
121 | files_read_etc_runtime_files(postgresql_t) | |
122 | files_read_usr_files(postgresql_t) | |
123 | ||
68228b33 | 124 | init_read_utmp(postgresql_t) |
1c1ac67f | 125 | init_use_fds(postgresql_t) |
1815bad1 | 126 | init_use_script_ptys(postgresql_t) |
a1fcff33 CP |
127 | |
128 | libs_use_ld_so(postgresql_t) | |
129 | libs_use_shared_libs(postgresql_t) | |
130 | ||
131 | logging_send_syslog_msg(postgresql_t) | |
132 | ||
133 | miscfiles_read_localization(postgresql_t) | |
134 | ||
135 | seutil_dontaudit_search_config(postgresql_t) | |
136 | ||
137 | sysnet_read_config(postgresql_t) | |
138 | ||
103fe280 | 139 | userdom_dontaudit_search_sysadm_home_dirs(postgresql_t) |
1815bad1 | 140 | userdom_dontaudit_use_sysadm_ttys(postgresql_t) |
15722ec9 | 141 | userdom_dontaudit_use_unpriv_user_fds(postgresql_t) |
a1fcff33 CP |
142 | |
143 | mta_getattr_spool(postgresql_t) | |
144 | ||
145 | ifdef(`targeted_policy', ` | |
9e04f5c5 | 146 | files_dontaudit_read_root_files(postgresql_t) |
1815bad1 CP |
147 | term_dontaudit_use_generic_ptys(postgresql_t) |
148 | term_dontaudit_use_unallocated_ttys(postgresql_t) | |
a1fcff33 CP |
149 | ') |
150 | ||
151 | tunable_policy(`allow_execmem',` | |
152 | allow postgresql_t self:process execmem; | |
153 | ') | |
154 | ||
1328802a | 155 | optional_policy(`consoletype',` |
a1fcff33 CP |
156 | consoletype_exec(postgresql_t) |
157 | ') | |
158 | ||
1328802a | 159 | optional_policy(`cron',` |
a1fcff33 CP |
160 | cron_search_spool(postgresql_t) |
161 | cron_system_entry(postgresql_t,postgresql_exec_t) | |
162 | ') | |
163 | ||
1328802a | 164 | optional_policy(`hostname',` |
a1fcff33 CP |
165 | hostname_exec(postgresql_t) |
166 | ') | |
167 | ||
1328802a | 168 | optional_policy(`kerberos',` |
a1fcff33 CP |
169 | kerberos_use(postgresql_t) |
170 | ') | |
171 | ||
1328802a | 172 | optional_policy(`mount',` |
a1fcff33 CP |
173 | mount_send_nfs_client_request(postgresql_t) |
174 | ') | |
175 | ||
1328802a | 176 | optional_policy(`nis',` |
a1fcff33 CP |
177 | nis_use_ypbind(postgresql_t) |
178 | ') | |
179 | ||
1328802a | 180 | optional_policy(`selinuxutil',` |
a1fcff33 CP |
181 | seutil_sigchld_newrole(postgresql_t) |
182 | ') | |
183 | ||
1328802a | 184 | optional_policy(`udev',` |
a1fcff33 CP |
185 | udev_read_db(postgresql_t) |
186 | ') | |
187 | ||
188 | ifdef(`TODO',` | |
189 | ifdef(`targeted_policy', `', ` | |
190 | bool allow_user_postgresql_connect false; | |
191 | ||
192 | if (allow_user_postgresql_connect) { | |
193 | # allow any user domain to connect to the database server | |
194 | can_tcp_connect(userdomain, postgresql_t) | |
195 | allow userdomain postgresql_t:unix_stream_socket connectto; | |
196 | allow userdomain postgresql_var_run_t:sock_file write; | |
197 | allow userdomain postgresql_tmp_t:sock_file write; | |
198 | } | |
199 | ') | |
200 | ifdef(`distro_debian', ` | |
f7547934 | 201 | init_exec_script_files(postgresql_t) |
a1fcff33 CP |
202 | # gross hack |
203 | postgresql_domtrans(dpkg_t) | |
204 | can_exec(postgresql_t, dpkg_exec_t) | |
205 | ') | |
206 | ||
207 | ifdef(`distro_gentoo', ` | |
208 | allow postgresql_t initrc_su_t:process { sigchld }; | |
209 | # "su - postgres ..." is called from initrc_t | |
1815bad1 | 210 | postgresql_search_db(initrc_su_t) |
a1fcff33 CP |
211 | dontaudit initrc_su_t sysadm_devpts_t:chr_file rw_file_perms; |
212 | ') | |
a1fcff33 | 213 | ') |