#DESC Postgresql - Database server # # Author: Russell Coker <russell@coker.com.au> # X-Debian-Packages: postgresql # ################################# # # Rules for the postgresql_t domain. # # postgresql_exec_t is the type of the postgresql executable. # daemon_domain(postgresql) allow initrc_t postgresql_exec_t:lnk_file read; allow postgresql_t usr_t:file { getattr read }; allow postgresql_t postgresql_var_run_t:sock_file create_file_perms; ifdef(`distro_debian', ` can_exec(postgresql_t, initrc_exec_t) # gross hack domain_auto_trans(dpkg_t, postgresql_exec_t, postgresql_t) can_exec(postgresql_t, dpkg_exec_t) ') dontaudit postgresql_t sysadm_home_dir_t:dir search; # quiet ps and killall dontaudit postgresql_t domain:dir { getattr search }; # for currect directory of scripts allow postgresql_t { var_spool_t cron_spool_t }:dir search; # capability kill is for shutdown script allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config }; dontaudit postgresql_t self:capability sys_admin; etcdir_domain(postgresql) type postgresql_db_t, file_type, sysadmfile; logdir_domain(postgresql) ifdef(`crond.te', ` # allow crond to find /usr/lib/postgresql/bin/do.maintenance allow crond_t postgresql_db_t:dir search; system_crond_entry(postgresql_exec_t, postgresql_t) ') tmp_domain(postgresql, `', `{ dir file sock_file }') file_type_auto_trans(postgresql_t, tmpfs_t, postgresql_tmp_t) # Use the network. can_network(postgresql_t) can_ypbind(postgresql_t) allow postgresql_t self:fifo_file { getattr read write ioctl }; allow postgresql_t self:unix_stream_socket create_stream_socket_perms; can_unix_connect(postgresql_t, self) allow postgresql_t self:unix_dgram_socket create_socket_perms; allow postgresql_t self:shm create_shm_perms; ifdef(`targeted_policy', `', ` bool allow_user_postgresql_connect false; if (allow_user_postgresql_connect) { # allow any user domain to connect to the database server can_tcp_connect(userdomain, postgresql_t) allow userdomain postgresql_t:unix_stream_socket connectto; allow userdomain postgresql_var_run_t:sock_file write; allow userdomain postgresql_tmp_t:sock_file write; } ') ifdef(`consoletype.te', ` can_exec(postgresql_t, consoletype_exec_t) ') ifdef(`hostname.te', ` can_exec(postgresql_t, hostname_exec_t) ') allow postgresql_t postgresql_port_t:tcp_socket name_bind; allow postgresql_t auth_port_t:tcp_socket name_connect; allow postgresql_t { proc_t self }:file { getattr read }; # Allow access to the postgresql databases create_dir_file(postgresql_t, postgresql_db_t) file_type_auto_trans(postgresql_t, var_lib_t, postgresql_db_t) allow postgresql_t var_lib_t:dir { getattr search }; # because postgresql start scripts are broken and put the pid file in the DB # directory rw_dir_file(initrc_t, postgresql_db_t) # read config files allow postgresql_t { etc_t etc_runtime_t }:{ file lnk_file } { read getattr }; r_dir_file(initrc_t, postgresql_etc_t) allow postgresql_t etc_t:dir rw_dir_perms; read_sysctl(postgresql_t) allow postgresql_t devtty_t:chr_file { read write }; allow postgresql_t devpts_t:dir search; allow postgresql_t { bin_t sbin_t }:dir search; allow postgresql_t { bin_t sbin_t }:lnk_file { getattr read }; allow postgresql_t postgresql_exec_t:lnk_file { getattr read }; allow postgresql_t self:sem create_sem_perms; allow postgresql_t initrc_var_run_t:file { getattr read lock }; dontaudit postgresql_t selinux_config_t:dir search; allow postgresql_t mail_spool_t:dir search; lock_domain(postgresql) can_exec(postgresql_t, { shell_exec_t bin_t postgresql_exec_t ls_exec_t } ) ifdef(`apache.te', ` # # Allow httpd to work with postgresql # allow httpd_t postgresql_tmp_t:sock_file rw_file_perms; can_unix_connect(httpd_t, postgresql_t) ') ifdef(`distro_gentoo', ` # "su - postgres ..." is called from initrc_t allow initrc_su_t postgresql_db_t:dir search; allow postgresql_t initrc_su_t:process sigchld; dontaudit initrc_su_t sysadm_devpts_t:chr_file rw_file_perms; ') dontaudit postgresql_t home_root_t:dir search; can_kerberos(postgresql_t) allow postgresql_t urandom_device_t:chr_file { getattr read }; if (allow_execmem) { allow postgresql_t self:process execmem; }