From cb10a2d5bf5e5ab0e6e3b2ffc5c01c48ac0d89d6 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Tue, 19 Jun 2007 14:30:06 +0000
Subject: [PATCH] trunk: Tunable connection to postgresql for users from KaiGai
 Kohei.

---
 Changelog                             |  1 +
 policy/modules/services/postgresql.te | 10 ----------
 policy/modules/system/userdomain.if   |  6 ++++++
 policy/modules/system/userdomain.te   |  9 ++++++++-
 4 files changed, 15 insertions(+), 11 deletions(-)

diff --git a/Changelog b/Changelog
index 0e09011f..6f9a3fb8 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Tunable connection to postgresql for users from KaiGai Kohei.
 - Memprotect support patch from Stephen Smalley.
 - Add logging_send_audit_msgs() interface and deprecate
   send_audit_msgs_pattern().
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index ab075ab8..e5a6a25a 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -175,16 +175,6 @@ optional_policy(`
 ')
 
 ifdef(`TODO',`
-ifdef(`targeted_policy', `', `
-bool allow_user_postgresql_connect false;
-
-if (allow_user_postgresql_connect) {
-# allow any user domain to connect to the database server
-allow userdomain postgresql_t:unix_stream_socket connectto;
-allow userdomain postgresql_var_run_t:sock_file write;
-allow userdomain postgresql_tmp_t:sock_file write;
-}
-')
 ifdef(`distro_debian', `
 	init_exec_script_files(postgresql_t)
 	# gross hack
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 60f6fd80..fcd45722 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -904,6 +904,12 @@ template(`userdom_common_user_template',`
 		pcscd_stream_connect($1_t)
 	')
 
+	optional_policy(`
+		tunable_policy(`allow_user_postgresql_connect',`
+			postgresql_stream_connect($1_t)
+		')
+	')
+
 	optional_policy(`
 		quota_dontaudit_getattr_db($1_t)
 	')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 1ad652d4..22ac2f2a 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,5 +1,5 @@
 
-policy_module(userdomain,2.2.2)
+policy_module(userdomain,2.2.3)
 
 gen_require(`
 	role sysadm_r, staff_r, user_r;
@@ -30,6 +30,13 @@ gen_tunable(allow_ptrace,false)
 ## </desc>
 gen_tunable(allow_user_mysql_connect,false)
 
+## <desc>
+## <p>
+## Allow users to connect to PostgreSQL
+## </p>
+## </desc>
+gen_tunable(allow_user_postgresql_connect,false)
+
 ## <desc>
 ## <p>
 ## Allow regular users direct mouse access