policy_module(postgresql,1.3.0) ################################# # # Declarations # type postgresql_t; type postgresql_exec_t; init_daemon_domain(postgresql_t,postgresql_exec_t) type postgresql_db_t; files_type(postgresql_db_t) type postgresql_etc_t; files_config_file(postgresql_etc_t) type postgresql_lock_t; files_lock_file(postgresql_lock_t) type postgresql_log_t; logging_log_file(postgresql_log_t) type postgresql_tmp_t; files_tmp_file(postgresql_tmp_t) type postgresql_var_run_t; files_pid_file(postgresql_var_run_t) ######################################## # # postgresql Local policy # allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config sys_admin }; dontaudit postgresql_t self:capability { sys_tty_config sys_admin }; allow postgresql_t self:process signal_perms; allow postgresql_t self:fifo_file { getattr read write ioctl }; allow postgresql_t self:file { getattr read }; allow postgresql_t self:sem create_sem_perms; allow postgresql_t self:shm create_shm_perms; allow postgresql_t self:tcp_socket create_stream_socket_perms; allow postgresql_t self:udp_socket create_stream_socket_perms; allow postgresql_t self:unix_dgram_socket create_socket_perms; allow postgresql_t self:unix_stream_socket create_stream_socket_perms; allow postgresql_t self:netlink_route_socket r_netlink_socket_perms; manage_dirs_pattern(postgresql_t,postgresql_db_t,postgresql_db_t) manage_files_pattern(postgresql_t,postgresql_db_t,postgresql_db_t) manage_lnk_files_pattern(postgresql_t,postgresql_db_t,postgresql_db_t) manage_fifo_files_pattern(postgresql_t,postgresql_db_t,postgresql_db_t) manage_sock_files_pattern(postgresql_t,postgresql_db_t,postgresql_db_t) files_var_lib_filetrans(postgresql_t, postgresql_db_t, { dir file lnk_file sock_file fifo_file }) allow postgresql_t postgresql_etc_t:dir list_dir_perms; read_files_pattern(postgresql_t,postgresql_etc_t,postgresql_etc_t) read_lnk_files_pattern(postgresql_t,postgresql_etc_t,postgresql_etc_t) allow postgresql_t postgresql_exec_t:lnk_file { getattr read }; can_exec(postgresql_t, postgresql_exec_t ) allow postgresql_t postgresql_lock_t:file manage_file_perms; files_lock_filetrans(postgresql_t,postgresql_lock_t,file) manage_files_pattern(postgresql_t,postgresql_log_t,postgresql_log_t) logging_log_filetrans(postgresql_t,postgresql_log_t,{ file dir }) manage_dirs_pattern(postgresql_t,postgresql_tmp_t,postgresql_tmp_t) manage_files_pattern(postgresql_t,postgresql_tmp_t,postgresql_tmp_t) manage_lnk_files_pattern(postgresql_t,postgresql_tmp_t,postgresql_tmp_t) manage_fifo_files_pattern(postgresql_t,postgresql_tmp_t,postgresql_tmp_t) manage_sock_files_pattern(postgresql_t,postgresql_tmp_t,postgresql_tmp_t) files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file }) fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file }) manage_files_pattern(postgresql_t,postgresql_var_run_t,postgresql_var_run_t) manage_sock_files_pattern(postgresql_t,postgresql_var_run_t,postgresql_var_run_t) files_pid_filetrans(postgresql_t,postgresql_var_run_t,file) kernel_read_kernel_sysctls(postgresql_t) kernel_read_system_state(postgresql_t) kernel_list_proc(postgresql_t) kernel_read_all_sysctls(postgresql_t) kernel_read_proc_symlinks(postgresql_t) corenet_non_ipsec_sendrecv(postgresql_t) corenet_tcp_sendrecv_all_if(postgresql_t) corenet_udp_sendrecv_all_if(postgresql_t) corenet_tcp_sendrecv_all_nodes(postgresql_t) corenet_udp_sendrecv_all_nodes(postgresql_t) corenet_tcp_sendrecv_all_ports(postgresql_t) corenet_udp_sendrecv_all_ports(postgresql_t) corenet_tcp_bind_all_nodes(postgresql_t) corenet_tcp_bind_postgresql_port(postgresql_t) corenet_tcp_connect_auth_port(postgresql_t) corenet_sendrecv_postgresql_server_packets(postgresql_t) corenet_sendrecv_auth_client_packets(postgresql_t) dev_read_sysfs(postgresql_t) dev_read_urand(postgresql_t) fs_getattr_all_fs(postgresql_t) fs_search_auto_mountpoints(postgresql_t) term_use_controlling_term(postgresql_t) corecmd_exec_bin(postgresql_t) corecmd_exec_shell(postgresql_t) domain_dontaudit_list_all_domains_state(postgresql_t) domain_use_interactive_fds(postgresql_t) files_dontaudit_search_home(postgresql_t) files_manage_etc_files(postgresql_t) files_search_etc(postgresql_t) files_read_etc_runtime_files(postgresql_t) files_read_usr_files(postgresql_t) init_read_utmp(postgresql_t) libs_use_ld_so(postgresql_t) libs_use_shared_libs(postgresql_t) logging_send_syslog_msg(postgresql_t) miscfiles_read_localization(postgresql_t) seutil_dontaudit_search_config(postgresql_t) sysnet_read_config(postgresql_t) sysnet_use_ldap(postgresql_t) userdom_dontaudit_search_sysadm_home_dirs(postgresql_t) userdom_dontaudit_use_sysadm_ttys(postgresql_t) userdom_dontaudit_use_unpriv_user_fds(postgresql_t) mta_getattr_spool(postgresql_t) ifdef(`targeted_policy', ` files_dontaudit_read_root_files(postgresql_t) term_dontaudit_use_generic_ptys(postgresql_t) term_dontaudit_use_unallocated_ttys(postgresql_t) ') tunable_policy(`allow_execmem',` allow postgresql_t self:process execmem; ') optional_policy(` consoletype_exec(postgresql_t) ') optional_policy(` cron_search_spool(postgresql_t) cron_system_entry(postgresql_t,postgresql_exec_t) ') optional_policy(` hostname_exec(postgresql_t) ') optional_policy(` kerberos_use(postgresql_t) ') optional_policy(` nis_use_ypbind(postgresql_t) ') optional_policy(` seutil_sigchld_newrole(postgresql_t) ') optional_policy(` udev_read_db(postgresql_t) ') ifdef(`TODO',` ifdef(`distro_debian', ` init_exec_script_files(postgresql_t) # gross hack postgresql_domtrans(dpkg_t) can_exec(postgresql_t, dpkg_exec_t) ') ifdef(`distro_gentoo', ` allow postgresql_t initrc_su_t:process { sigchld }; # "su - postgres ..." is called from initrc_t postgresql_search_db(initrc_su_t) dontaudit initrc_su_t sysadm_devpts_t:chr_file rw_file_perms; ') ')