From 84497cc8e88095aa17ae9dc11496fe321200134d Mon Sep 17 00:00:00 2001
From: Sven Vermeulen <sven.vermeulen@siphos.be>
Date: Mon, 17 Dec 2012 10:42:43 +0100
Subject: [PATCH] Postgresql 9.2 connects to its unix stream socket

When starting postgresql, it fails with the (little saying) error message:
pg_ctl: could not start server

In the denials, we notice:
Nov 24 10:41:52 lerya kernel: [1628900.540506] type=1400
audit(1353750112.021:10143): avc:  denied  { connectto } for  pid=20481
comm="pg_ctl" path="/run/postgresql/.s.PGSQL.5432" ipaddr=...
scontext=system_u:system_r:postgresql_t tcontext=system_u:system_r:postgresql_t
tclass=unix_stream_socket

Hence, allow postgresql to connect to its own stream socket.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/services/postgresql.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index 0210aefe5..94b1a5798 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -234,7 +234,7 @@ allow postgresql_t self:shm create_shm_perms;
 allow postgresql_t self:tcp_socket create_stream_socket_perms;
 allow postgresql_t self:udp_socket create_stream_socket_perms;
 allow postgresql_t self:unix_dgram_socket create_socket_perms;
-allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
+allow postgresql_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow postgresql_t self:netlink_selinux_socket create_socket_perms;
 tunable_policy(`sepgsql_transmit_client_label',`
 	allow postgresql_t self:process { setsockcreate };