139 lines
4.1 KiB
Plaintext
139 lines
4.1 KiB
Plaintext
|
#DESC Postgresql - Database server
|
||
|
#
|
||
|
# Author: Russell Coker <russell@coker.com.au>
|
||
|
# X-Debian-Packages: postgresql
|
||
|
#
|
||
|
|
||
|
#################################
|
||
|
#
|
||
|
# Rules for the postgresql_t domain.
|
||
|
#
|
||
|
# postgresql_exec_t is the type of the postgresql executable.
|
||
|
#
|
||
|
daemon_domain(postgresql)
|
||
|
allow initrc_t postgresql_exec_t:lnk_file read;
|
||
|
allow postgresql_t usr_t:file { getattr read };
|
||
|
|
||
|
allow postgresql_t postgresql_var_run_t:sock_file create_file_perms;
|
||
|
|
||
|
ifdef(`distro_debian', `
|
||
|
can_exec(postgresql_t, initrc_exec_t)
|
||
|
# gross hack
|
||
|
domain_auto_trans(dpkg_t, postgresql_exec_t, postgresql_t)
|
||
|
can_exec(postgresql_t, dpkg_exec_t)
|
||
|
')
|
||
|
|
||
|
dontaudit postgresql_t sysadm_home_dir_t:dir search;
|
||
|
|
||
|
# quiet ps and killall
|
||
|
dontaudit postgresql_t domain:dir { getattr search };
|
||
|
|
||
|
# for currect directory of scripts
|
||
|
allow postgresql_t { var_spool_t cron_spool_t }:dir search;
|
||
|
|
||
|
# capability kill is for shutdown script
|
||
|
allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config };
|
||
|
dontaudit postgresql_t self:capability sys_admin;
|
||
|
|
||
|
etcdir_domain(postgresql)
|
||
|
type postgresql_db_t, file_type, sysadmfile;
|
||
|
|
||
|
logdir_domain(postgresql)
|
||
|
|
||
|
ifdef(`crond.te', `
|
||
|
# allow crond to find /usr/lib/postgresql/bin/do.maintenance
|
||
|
allow crond_t postgresql_db_t:dir search;
|
||
|
system_crond_entry(postgresql_exec_t, postgresql_t)
|
||
|
')
|
||
|
|
||
|
tmp_domain(postgresql, `', `{ dir file sock_file }')
|
||
|
file_type_auto_trans(postgresql_t, tmpfs_t, postgresql_tmp_t)
|
||
|
|
||
|
# Use the network.
|
||
|
can_network(postgresql_t)
|
||
|
can_ypbind(postgresql_t)
|
||
|
allow postgresql_t self:fifo_file { getattr read write ioctl };
|
||
|
allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
|
||
|
can_unix_connect(postgresql_t, self)
|
||
|
allow postgresql_t self:unix_dgram_socket create_socket_perms;
|
||
|
|
||
|
allow postgresql_t self:shm create_shm_perms;
|
||
|
|
||
|
ifdef(`targeted_policy', `', `
|
||
|
bool allow_user_postgresql_connect false;
|
||
|
|
||
|
if (allow_user_postgresql_connect) {
|
||
|
# allow any user domain to connect to the database server
|
||
|
can_tcp_connect(userdomain, postgresql_t)
|
||
|
allow userdomain postgresql_t:unix_stream_socket connectto;
|
||
|
allow userdomain postgresql_var_run_t:sock_file write;
|
||
|
allow userdomain postgresql_tmp_t:sock_file write;
|
||
|
}
|
||
|
')
|
||
|
ifdef(`consoletype.te', `
|
||
|
can_exec(postgresql_t, consoletype_exec_t)
|
||
|
')
|
||
|
|
||
|
ifdef(`hostname.te', `
|
||
|
can_exec(postgresql_t, hostname_exec_t)
|
||
|
')
|
||
|
|
||
|
allow postgresql_t postgresql_port_t:tcp_socket name_bind;
|
||
|
allow postgresql_t auth_port_t:tcp_socket name_connect;
|
||
|
|
||
|
allow postgresql_t { proc_t self }:file { getattr read };
|
||
|
|
||
|
# Allow access to the postgresql databases
|
||
|
create_dir_file(postgresql_t, postgresql_db_t)
|
||
|
file_type_auto_trans(postgresql_t, var_lib_t, postgresql_db_t)
|
||
|
allow postgresql_t var_lib_t:dir { getattr search };
|
||
|
|
||
|
# because postgresql start scripts are broken and put the pid file in the DB
|
||
|
# directory
|
||
|
rw_dir_file(initrc_t, postgresql_db_t)
|
||
|
|
||
|
# read config files
|
||
|
allow postgresql_t { etc_t etc_runtime_t }:{ file lnk_file } { read getattr };
|
||
|
r_dir_file(initrc_t, postgresql_etc_t)
|
||
|
|
||
|
allow postgresql_t etc_t:dir rw_dir_perms;
|
||
|
|
||
|
read_sysctl(postgresql_t)
|
||
|
|
||
|
allow postgresql_t devtty_t:chr_file { read write };
|
||
|
allow postgresql_t devpts_t:dir search;
|
||
|
|
||
|
allow postgresql_t { bin_t sbin_t }:dir search;
|
||
|
allow postgresql_t { bin_t sbin_t }:lnk_file { getattr read };
|
||
|
allow postgresql_t postgresql_exec_t:lnk_file { getattr read };
|
||
|
|
||
|
allow postgresql_t self:sem create_sem_perms;
|
||
|
|
||
|
allow postgresql_t initrc_var_run_t:file { getattr read lock };
|
||
|
dontaudit postgresql_t selinux_config_t:dir search;
|
||
|
allow postgresql_t mail_spool_t:dir search;
|
||
|
lock_domain(postgresql)
|
||
|
can_exec(postgresql_t, { shell_exec_t bin_t postgresql_exec_t ls_exec_t } )
|
||
|
ifdef(`apache.te', `
|
||
|
#
|
||
|
# Allow httpd to work with postgresql
|
||
|
#
|
||
|
allow httpd_t postgresql_tmp_t:sock_file rw_file_perms;
|
||
|
can_unix_connect(httpd_t, postgresql_t)
|
||
|
')
|
||
|
|
||
|
ifdef(`distro_gentoo', `
|
||
|
# "su - postgres ..." is called from initrc_t
|
||
|
allow initrc_su_t postgresql_db_t:dir search;
|
||
|
allow postgresql_t initrc_su_t:process sigchld;
|
||
|
dontaudit initrc_su_t sysadm_devpts_t:chr_file rw_file_perms;
|
||
|
')
|
||
|
|
||
|
dontaudit postgresql_t home_root_t:dir search;
|
||
|
can_kerberos(postgresql_t)
|
||
|
allow postgresql_t urandom_device_t:chr_file { getattr read };
|
||
|
|
||
|
if (allow_execmem) {
|
||
|
allow postgresql_t self:process execmem;
|
||
|
}
|