trunk: add sepostgresql policy from kaigai kohei.

2008-06-10 15:33:18 +00:00 · 2008-06-10 15:33:18 +00:00 · e8cb08aefa
parent 67b6207a9e
commit e8cb08aefa
15 changed files with 493 additions and 10 deletions
--- a/1
+++ b/1
@ -1,3 +1,4 @@
+- SE-Postgresql policy from KaiGai Kohei.
 - Patch for X.org dbus support from Martin Orr.
 - Patch for labeled networking controls in 2.6.25 from Paul Moore.
 - Module loading now requires setsched on kernel threads.
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@ -2551,6 +2551,35 @@ interface(`kernel_dontaudit_recvfrom_unlabeled_peer',`
 	dontaudit $1 unlabeled_t:peer recv;
 ')

+########################################
+## <summary>
+##      Relabel from unlabeled database objects.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`kernel_relabelfrom_unlabeled_database',`
+	gen_require(`
+		type unlabeled_t;
+		class db_database { setattr relabelfrom };
+		class db_table { setattr relabelfrom };
+		class db_procedure { setattr relabelfrom };
+		class db_column { setattr relabelfrom };
+		class db_tuple { update relabelfrom };
+		class db_blob { setattr relabelfrom };
+	')
+
+	allow $1 unlabeled_t:db_database { setattr relabelfrom };
+	allow $1 unlabeled_t:db_table { setattr relabelfrom };
+	allow $1 unlabeled_t:db_procedure { setattr relabelfrom };
+	allow $1 unlabeled_t:db_column { setattr relabelfrom };
+	allow $1 unlabeled_t:db_tuple { update relabelfrom };
+	allow $1 unlabeled_t:db_blob { setattr relabelfrom };
+')
+
 ########################################
 ## <summary>
 ##	Unconfined access to kernel module resources.
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@ -1,5 +1,5 @@

-policy_module(kernel,1.9.4)
+policy_module(kernel,1.9.5)

 ########################################
 #
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@ -225,6 +225,10 @@ template(`apache_content_template',`
 		')
 	')

+	optional_policy(`
+		postgresql_unpriv_client(httpd_$1_script_t)
+	')
+
 	optional_policy(`
 		nscd_socket_use(httpd_$1_script_t)
 	')
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@ -1,5 +1,5 @@

-policy_module(apache,1.9.1)
+policy_module(apache,1.9.2)

 #
 # NOTES: 
@ -475,6 +475,7 @@ optional_policy(`
 optional_policy(`
 	# Allow httpd to work with postgresql
 	postgresql_stream_connect(httpd_t)
+	postgresql_unpriv_client(httpd_t)

 	tunable_policy(`httpd_can_network_connect_db',`
 		postgresql_tcp_connect(httpd_t)
--- a/policy/modules/services/postgresql.fc
+++ b/policy/modules/services/postgresql.fc
@ -6,8 +6,8 @@
 #
 # /usr
 #
-/usr/bin/initdb			--	gen_context(system_u:object_r:postgresql_exec_t,s0)
-/usr/bin/postgres		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/bin/initdb(\.sepgsql)?	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/bin/(se)?postgres		--	gen_context(system_u:object_r:postgresql_exec_t,s0)

 /usr/lib/pgsql/test/regres(/.*)?	gen_context(system_u:object_r:postgresql_db_t,s0)
 /usr/lib/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0)
@ -30,8 +30,12 @@ ifdef(`distro_redhat', `
 /var/lib/pgsql/data(/.*)?		gen_context(system_u:object_r:postgresql_db_t,s0)
 /var/lib/pgsql/pgstartup\.log		gen_context(system_u:object_r:postgresql_log_t,s0)

+/var/lib/sepgsql(/.*)?			gen_context(system_u:object_r:postgresql_db_t,s0)
+/var/lib/sepgsql/pgstartup\.log	--	gen_context(system_u:object_r:postgresql_log_t,s0)
+
 /var/log/postgres\.log.* 	--	gen_context(system_u:object_r:postgresql_log_t,s0)
 /var/log/postgresql(/.*)?		gen_context(system_u:object_r:postgresql_log_t,s0)
+/var/log/sepostgresql\.log.*	--	gen_context(system_u:object_r:postgresql_log_t,s0)

 ifdef(`distro_redhat', `
 /var/log/rhdb/rhdb(/.*)?		gen_context(system_u:object_r:postgresql_log_t,s0)
--- a/policy/modules/services/postgresql.if
+++ b/policy/modules/services/postgresql.if
@ -1,5 +1,206 @@
 ## <summary>PostgreSQL relational database</summary>

+#######################################
+## <summary>
+##      The userdomain template for the SE-PostgreSQL.
+## </summary>
+## <desc>
+##      This template creates a delivered types which are used
+##	for given userdomains.
+## </desc>
+## <param name="userdomain_prefix">
+##      <summary>
+##      The prefix of the user domain (e.g., user
+##      is the prefix for user_t).
+##      </summary>
+## </param>
+## <param name="user_domain">
+## 	<summary>
+##      The type of the user domain.
+##      </summary>
+## </param>
+## <param name="user_role">
+##      <summary>
+##      The role associated with the user domain.
+##      </summary>
+## </param>
+#
+template(`postgresql_userdom_template',`
+	gen_require(`
+		class db_database all_db_database_perms;
+		class db_table all_db_table_perms;
+		class db_procedure all_db_procedure_perms;
+		class db_column all_db_column_perms;
+		class db_tuple all_db_tuple_perms;
+		class db_blob all_db_blob_perms;
+
+		attribute sepgsql_client_type, sepgsql_database_type;
+		attribute sepgsql_sysobj_table_type;
+
+		type sepgsql_trusted_proc_t, sepgsql_trusted_domain_t;
+	')
+
+	########################################
+	#
+	# Declarations
+	#
+
+	typeattribute $2 sepgsql_client_type;
+
+	type $1_sepgsql_blob_t;
+	postgresql_blob_object($1_sepgsql_blob_t)
+
+	type $1_sepgsql_proc_t;
+	postgresql_procedure_object($1_sepgsql_proc_t)
+
+	type $1_sepgsql_sysobj_t;
+	postgresql_system_table_object($1_sepgsql_sysobj_t)
+
+	type $1_sepgsql_table_t;
+	postgresql_table_object($1_sepgsql_table_t)
+
+	role $3 types sepgsql_trusted_domain_t;
+
+	##############################
+	#
+	# Client local policy
+	#
+
+	tunable_policy(`sepgsql_enable_users_ddl',`
+		allow $2 $1_sepgsql_table_t  : db_table { create drop };
+		type_transition $2 sepgsql_database_type:db_table $1_sepgsql_table_t;
+
+		allow $2 $1_sepgsql_table_t  : db_column { create drop };
+
+		allow $2 $1_sepgsql_sysobj_t : db_tuple { update insert delete };
+		type_transition $2 sepgsql_sysobj_table_type:db_tuple $1_sepgsql_sysobj_t;
+	')
+
+	allow $2 $1_sepgsql_table_t  : db_table  { getattr setattr use select update insert delete };
+	allow $2 $1_sepgsql_table_t  : db_column { getattr setattr use select update insert };
+	allow $2 $1_sepgsql_table_t  : db_tuple  { use select update insert delete };
+	allow $2 $1_sepgsql_sysobj_t : db_tuple  { use select };
+
+	allow $2 $1_sepgsql_proc_t : db_procedure { create drop getattr setattr execute };
+	type_transition $2 sepgsql_database_type:db_procedure $1_sepgsql_proc_t;
+
+	allow $2 $1_sepgsql_blob_t : db_blob { create drop getattr setattr read write };
+	type_transition $2 sepgsql_database_type:db_blob $1_sepgsql_blob_t;
+
+	allow $2 sepgsql_trusted_domain_t:process transition;
+	type_transition $2 sepgsql_trusted_proc_t:process sepgsql_trusted_domain_t;
+')
+
+########################################
+## <summary>
+##     Marks as a SE-PostgreSQL loadable shared library module
+## </summary>
+## <param name="type">
+##     <summary>
+##     Type marked as a database object type.
+##     </summary>
+## </param>
+#
+interface(`postgresql_loadable_module',`
+	gen_require(`
+		attribute sepgsql_module_type;
+	')
+
+	typeattribute $1 sepgsql_module_type;
+')
+
+########################################
+## <summary>
+##     Marks as a SE-PostgreSQL database object type
+## </summary>
+## <param name="type">
+##     <summary>
+##     Type marked as a database object type.
+##     </summary>
+## </param>
+#
+interface(`postgresql_database_object',`
+	gen_require(`
+		attribute sepgsql_database_type;
+	')
+
+	typeattribute $1 sepgsql_database_type;
+')
+
+########################################
+## <summary>
+##     Marks as a SE-PostgreSQL table/column/tuple object type
+## </summary>
+## <param name="type">
+##     <summary>
+##     Type marked as a table/column/tuple object type.
+##     </summary>
+## </param>
+#
+interface(`postgresql_table_object',`
+	gen_require(`
+		attribute sepgsql_table_type;
+	')
+
+	typeattribute $1 sepgsql_table_type;
+')
+
+########################################
+## <summary>
+##     Marks as a SE-PostgreSQL system table/column/tuple object type
+## </summary>
+## <param name="type">
+##     <summary>
+##     Type marked as a table/column/tuple object type.
+##     </summary>
+## </param>
+#
+interface(`postgresql_system_table_object',`
+	gen_require(`
+		attribute sepgsql_table_type;
+		attribute sepgsql_sysobj_table_type;
+	')
+
+	typeattribute $1 sepgsql_table_type;
+	typeattribute $1 sepgsql_sysobj_table_type;
+')
+
+########################################
+## <summary>
+##     Marks as a SE-PostgreSQL procedure object type
+## </summary>
+## <param name="type">
+##     <summary>
+##     Type marked as a database object type.
+##     </summary>
+## </param>
+#
+interface(`postgresql_procedure_object',`
+	gen_require(`
+		attribute sepgsql_procedure_type;
+	')
+
+	typeattribute $1 sepgsql_procedure_type;
+')
+
+########################################
+## <summary>
+##     Marks as a SE-PostgreSQL binary large object type
+## </summary>
+## <param name="type">
+##     <summary>
+##     Type marked as a database binary large object type.
+##     </summary>
+## </param>
+#
+interface(`postgresql_blob_object',`
+	gen_require(`
+		attribute sepgsql_blob_type;
+	')
+
+	typeattribute $1 sepgsql_blob_type;
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to search postgresql's database directory.
@ -120,3 +321,57 @@ interface(`postgresql_stream_connect',`
        # Some versions of postgresql put the sock file in /tmp
 	allow $1 postgresql_tmp_t:sock_file write;
 ')
+
+########################################
+## <summary>
+##      Allow the specified domain unprivileged accesses to unifined database objects
+##	managed by SE-PostgreSQL,
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`postgresql_unpriv_client',`
+	gen_require(`
+		class db_table all_db_table_perms;
+		class db_procedure all_db_procedure_perms;
+		class db_blob all_db_blob_perms;
+
+		attribute sepgsql_client_type;
+		attribute sepgsql_database_type;
+
+		type sepgsql_table_t, sepgsql_proc_t, sepgsql_blob_t;
+
+		type sepgsql_trusted_proc_t, sepgsql_trusted_domain_t;
+	')
+
+	typeattribute $1 sepgsql_client_type;
+
+	type_transition $1 sepgsql_database_type:db_table sepgsql_table_t;
+	type_transition $1 sepgsql_database_type:db_procedure sepgsql_proc_t;
+	type_transition $1 sepgsql_database_type:db_blob sepgsql_blob_t;
+
+	type_transition $1 sepgsql_trusted_proc_t:process sepgsql_trusted_domain_t;
+	allow $1 sepgsql_trusted_domain_t:process transition;
+')
+
+########################################
+## <summary>
+##      Allow the specified domain unconfined accesses to any database objects
+##	managed by SE-PostgreSQL,
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`postgresql_unconfined',`
+	gen_require(`
+		attribute sepgsql_unconfined_type;
+	')
+
+	typeattribute $1 sepgsql_unconfined_type;
+')
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@ -1,10 +1,27 @@

-policy_module(postgresql,1.5.1)
+policy_module(postgresql, 1.5.2)
+
+gen_require(`
+	class db_database all_db_database_perms;
+	class db_table all_db_table_perms;
+	class db_procedure all_db_procedure_perms;
+	class db_column all_db_column_perms;
+	class db_tuple all_db_tuple_perms;
+	class db_blob all_db_blob_perms;
+')

 #################################
 #
 # Declarations
 #
+
+## <desc>
+## <p>
+## Allow unprived users to execute DDL statement
+## </p>
+## </desc>
+gen_tunable(sepgsql_enable_users_ddl, true)
+
 type postgresql_t;
 type postgresql_exec_t;
 init_daemon_domain(postgresql_t,postgresql_exec_t)
@ -27,6 +44,58 @@ files_tmp_file(postgresql_tmp_t)
 type postgresql_var_run_t;
 files_pid_file(postgresql_var_run_t)

+# database clients attribute
+attribute sepgsql_client_type;
+attribute sepgsql_unconfined_type;
+
+# database objects attribute
+attribute sepgsql_database_type;
+attribute sepgsql_table_type;
+attribute sepgsql_sysobj_table_type;
+attribute sepgsql_procedure_type;
+attribute sepgsql_blob_type;
+attribute sepgsql_module_type;
+
+# database object types
+type sepgsql_blob_t;
+postgresql_blob_object(sepgsql_blob_t)
+
+type sepgsql_db_t;
+postgresql_database_object(sepgsql_db_t)
+
+type sepgsql_fixed_table_t;
+postgresql_table_object(sepgsql_fixed_table_t)
+
+type sepgsql_proc_t;
+postgresql_procedure_object(sepgsql_proc_t)
+
+type sepgsql_ro_blob_t;
+postgresql_blob_object(sepgsql_ro_blob_t)
+
+type sepgsql_ro_table_t;
+postgresql_table_object(sepgsql_ro_table_t)
+
+type sepgsql_secret_blob_t;
+postgresql_blob_object(sepgsql_secret_blob_t)
+
+type sepgsql_secret_table_t;
+postgresql_table_object(sepgsql_secret_table_t)
+
+type sepgsql_sysobj_t;
+postgresql_system_table_object(sepgsql_sysobj_t)
+
+type sepgsql_table_t;
+postgresql_table_object(sepgsql_table_t)
+
+type sepgsql_trusted_proc_t;
+postgresql_procedure_object(sepgsql_trusted_proc_t)
+
+# Trusted Procedure Domain
+type sepgsql_trusted_domain_t;
+domain_type(sepgsql_trusted_domain_t)
+postgresql_unconfined(sepgsql_trusted_domain_t)
+role system_r types sepgsql_trusted_domain_t;
+
 ########################################
 #
 # postgresql Local policy
@ -42,6 +111,23 @@ allow postgresql_t self:tcp_socket create_stream_socket_perms;
 allow postgresql_t self:udp_socket create_stream_socket_perms;
 allow postgresql_t self:unix_dgram_socket create_socket_perms;
 allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
+allow postgresql_t self:netlink_selinux_socket create_socket_perms;
+
+allow postgresql_t sepgsql_database_type:db_database *;
+type_transition postgresql_t postgresql_t:db_database sepgsql_db_t;
+
+allow postgresql_t sepgsql_module_type:db_database install_module;
+# Database/Loadable module
+allow sepgsql_database_type sepgsql_module_type:db_database load_module;
+
+allow postgresql_t sepgsql_table_type:{ db_table db_column db_tuple } *;
+type_transition postgresql_t sepgsql_database_type:db_table sepgsql_sysobj_t;
+
+allow postgresql_t sepgsql_procedure_type:db_procedure *;
+type_transition postgresql_t sepgsql_database_type:db_procedure sepgsql_proc_t;
+
+allow postgresql_t sepgsql_blob_type:db_blob *;
+type_transition postgresql_t sepgsql_database_type:db_blob sepgsql_blob_t;

 manage_dirs_pattern(postgresql_t,postgresql_db_t,postgresql_db_t)
 manage_files_pattern(postgresql_t,postgresql_db_t,postgresql_db_t)
@ -101,6 +187,12 @@ dev_read_urand(postgresql_t)
 fs_getattr_all_fs(postgresql_t)
 fs_search_auto_mountpoints(postgresql_t)

+selinux_get_enforce_mode(postgresql_t)
+selinux_validate_context(postgresql_t)
+selinux_compute_access_vector(postgresql_t)
+selinux_compute_create_context(postgresql_t)
+selinux_compute_relabel_context(postgresql_t)
+
 term_use_controlling_term(postgresql_t)

 corecmd_exec_bin(postgresql_t)
@ -126,7 +218,7 @@ logging_send_syslog_msg(postgresql_t)

 miscfiles_read_localization(postgresql_t)

-seutil_dontaudit_search_config(postgresql_t)
+seutil_libselinux_linked(postgresql_t)

 userdom_dontaudit_use_unpriv_user_fds(postgresql_t)

@ -167,3 +259,81 @@ optional_policy(`
 optional_policy(`
 	udev_read_db(postgresql_t)
 ')
+
+########################################
+#
+# Rules common to all clients
+#
+
+allow sepgsql_client_type sepgsql_db_t:db_database { getattr access get_param set_param };
+type_transition sepgsql_client_type sepgsql_client_type:db_database sepgsql_db_t;
+
+allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr use select insert };
+allow sepgsql_client_type sepgsql_fixed_table_t:db_column { getattr use select insert };
+allow sepgsql_client_type sepgsql_fixed_table_t:db_tuple { use select insert };
+
+allow sepgsql_client_type sepgsql_table_t:db_table { getattr use select update insert delete };
+allow sepgsql_client_type sepgsql_table_t:db_column { getattr use select update insert };
+allow sepgsql_client_type sepgsql_table_t:db_tuple { use select update insert delete };
+
+allow sepgsql_client_type sepgsql_ro_table_t:db_table { getattr use select };
+allow sepgsql_client_type sepgsql_ro_table_t:db_column { getattr use select };
+allow sepgsql_client_type sepgsql_ro_table_t:db_tuple { use select };
+
+allow sepgsql_client_type sepgsql_secret_table_t:db_table getattr;
+allow sepgsql_client_type sepgsql_secret_table_t:db_column getattr;
+
+allow sepgsql_client_type sepgsql_sysobj_t:db_table { getattr use select };
+allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr use select };
+allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { use select };
+
+allow sepgsql_client_type sepgsql_proc_t:db_procedure { getattr execute };
+allow sepgsql_client_type sepgsql_trusted_proc_t:db_procedure { getattr execute entrypoint };
+
+allow sepgsql_client_type sepgsql_blob_t:db_blob { create drop getattr setattr read write };
+allow sepgsql_client_type sepgsql_ro_blob_t:db_blob { getattr read };
+allow sepgsql_client_type sepgsql_secret_blob_t:db_blob getattr;
+
+# The purpose of the dontaudit rule in row-level access control is to prevent a flood of logs.
+# If a client tries to SELECT a table including violated tuples, these are filtered from
+# the result set as if not exist, but its access denied longs can be recorded within log files.
+# In generally, the number of tuples are much larger than the number of columns, tables and so on.
+# So, it makes a flood of logs when many tuples are violated.
+#
+# The default policy does not prevent anything for sepgsql_client_type sepgsql_unconfined_type,
+# so we don't need "dontaudit" rules in Type-Enforcement. However, MLS/MCS can prevent them
+# to access classified tuples and can make a audit record.
+#
+# Therefore, the following rule is applied for any domains which can connect SE-PostgreSQL.
+dontaudit { postgresql_t sepgsql_client_type sepgsql_unconfined_type } { sepgsql_table_type -sepgsql_sysobj_table_type }:db_tuple { use select update insert delete };
+
+tunable_policy(`sepgsql_enable_users_ddl',`
+	allow sepgsql_client_type sepgsql_table_t:db_table  { create drop setattr };
+	allow sepgsql_client_type sepgsql_table_t:db_column { create drop setattr };
+	allow sepgsql_client_type sepgsql_sysobj_t:db_tuple  { update insert delete };
+')
+
+########################################
+#
+# Unconfined access to this module
+#
+
+allow sepgsql_unconfined_type sepgsql_database_type:db_database *;
+type_transition sepgsql_unconfined_type sepgsql_unconfined_type:db_database sepgsql_db_t;
+
+type_transition sepgsql_unconfined_type sepgsql_database_type:db_table sepgsql_table_t;
+type_transition sepgsql_unconfined_type sepgsql_database_type:db_procedure sepgsql_proc_t;
+type_transition sepgsql_unconfined_type sepgsql_database_type:db_blob sepgsql_blob_t;
+
+allow sepgsql_unconfined_type sepgsql_table_type:{ db_table db_column db_tuple } *;
+
+# unconfined domain is not allowed to invoke user defined procedure directly.
+# They have to confirm and relabel it at first.
+allow sepgsql_unconfined_type { sepgsql_proc_t sepgsql_trusted_proc_t }:db_procedure *;
+allow sepgsql_unconfined_type sepgsql_procedure_type:db_procedure { create drop getattr setattr relabelfrom relabelto };
+
+allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
+
+allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module;
+
+kernel_relabelfrom_unlabeled_database(sepgsql_unconfined_type)
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@ -38,6 +38,8 @@ ifdef(`distro_gentoo', `
 #
 # /usr
 #
+/usr/bin/sepg_ctl	--	gen_context(system_u:object_r:initrc_exec_t,s0)
+
 /usr/libexec/dcc/start-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
 /usr/libexec/dcc/stop-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)

--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@ -1,5 +1,5 @@

-policy_module(init,1.10.1)
+policy_module(init,1.10.2)

 gen_require(`
 	class passwd rootok;
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@ -1,5 +1,5 @@

-policy_module(libraries,2.1.0)
+policy_module(libraries,2.1.1)

 ########################################
 #
@ -39,6 +39,11 @@ files_type(lib_t)
 type textrel_shlib_t alias texrel_shlib_t;
 files_type(textrel_shlib_t)

+optional_policy(`
+	postgresql_loadable_module(lib_t)
+	postgresql_loadable_module(textrel_shlib_t)
+')
+
 ########################################
 #
 # ldconfig local policy
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@ -87,6 +87,10 @@ interface(`unconfined_domain_noaudit',`
 		nscd_unconfined($1)
 	')

+	optional_policy(`
+		postgresql_unconfined($1)
+	')
+
 	optional_policy(`
 		seutil_create_bin_policy($1)
 		seutil_relabelto_bin_policy($1)
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@ -1,5 +1,5 @@

-policy_module(unconfined, 2.2.1)
+policy_module(unconfined, 2.2.2)

 ########################################
 #
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@ -1197,6 +1197,10 @@ template(`userdom_unpriv_user_template', `
 		netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
 	')

+	optional_policy(`
+		postgresql_userdom_template($1,$1_t,$1_r)
+	')
+
 	# Run pppd in pppd_t by default for user
 	optional_policy(`
 		ppp_run_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
@ -1366,6 +1370,10 @@ template(`userdom_admin_user_template',`
 		fs_read_noxattr_fs_files($1_t)
 	')

+	optional_policy(`
+		postgresql_unconfined($1_t)
+	')
+
 	optional_policy(`
 		userhelper_exec($1_t)
 	')
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@ -1,5 +1,5 @@

-policy_module(userdomain, 3.0.1)
+policy_module(userdomain, 3.0.2)

 ########################################
 #