trunk: Tunable connection to postgresql for users from KaiGai Kohei.

This commit is contained in:
Chris PeBenito 2007-06-19 14:30:06 +00:00
parent 41337aa8b9
commit cb10a2d5bf
4 changed files with 15 additions and 11 deletions

View File

@ -1,3 +1,4 @@
- Tunable connection to postgresql for users from KaiGai Kohei.
- Memprotect support patch from Stephen Smalley. - Memprotect support patch from Stephen Smalley.
- Add logging_send_audit_msgs() interface and deprecate - Add logging_send_audit_msgs() interface and deprecate
send_audit_msgs_pattern(). send_audit_msgs_pattern().

View File

@ -175,16 +175,6 @@ optional_policy(`
') ')
ifdef(`TODO',` ifdef(`TODO',`
ifdef(`targeted_policy', `', `
bool allow_user_postgresql_connect false;
if (allow_user_postgresql_connect) {
# allow any user domain to connect to the database server
allow userdomain postgresql_t:unix_stream_socket connectto;
allow userdomain postgresql_var_run_t:sock_file write;
allow userdomain postgresql_tmp_t:sock_file write;
}
')
ifdef(`distro_debian', ` ifdef(`distro_debian', `
init_exec_script_files(postgresql_t) init_exec_script_files(postgresql_t)
# gross hack # gross hack

View File

@ -904,6 +904,12 @@ template(`userdom_common_user_template',`
pcscd_stream_connect($1_t) pcscd_stream_connect($1_t)
') ')
optional_policy(`
tunable_policy(`allow_user_postgresql_connect',`
postgresql_stream_connect($1_t)
')
')
optional_policy(` optional_policy(`
quota_dontaudit_getattr_db($1_t) quota_dontaudit_getattr_db($1_t)
') ')

View File

@ -1,5 +1,5 @@
policy_module(userdomain,2.2.2) policy_module(userdomain,2.2.3)
gen_require(` gen_require(`
role sysadm_r, staff_r, user_r; role sysadm_r, staff_r, user_r;
@ -30,6 +30,13 @@ gen_tunable(allow_ptrace,false)
## </desc> ## </desc>
gen_tunable(allow_user_mysql_connect,false) gen_tunable(allow_user_mysql_connect,false)
## <desc>
## <p>
## Allow users to connect to PostgreSQL
## </p>
## </desc>
gen_tunable(allow_user_postgresql_connect,false)
## <desc> ## <desc>
## <p> ## <p>
## Allow regular users direct mouse access ## Allow regular users direct mouse access