From 86462c81ecc5cedf166bde813b4e683a42aea916 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Sun, 8 Aug 2021 11:00:27 -0400
Subject: [PATCH] postgresql, roles: use user exec domain attribute

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/roles/staff.te         |  2 +-
 policy/modules/roles/unprivuser.te    |  2 +-
 policy/modules/services/postgresql.if | 28 +++++++++++++++++++++------
 3 files changed, 24 insertions(+), 8 deletions(-)

diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 6645d23a4..4d63fd891 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -37,7 +37,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	postgresql_role(staff_r, staff_t)
+	postgresql_role(staff, staff_t, staff_application_exec_domain, staff_r)
 ')
 
 optional_policy(`
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index 5e412f88f..88abfb5bd 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -119,7 +119,7 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
-		postgresql_role(user_r, user_t)
+		postgresql_role(user, user_t, user_application_exec_domain, user_r)
 	')
 
 	optional_policy(`
diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
index c94cb3d47..e3c841031 100644
--- a/policy/modules/services/postgresql.if
+++ b/policy/modules/services/postgresql.if
@@ -4,18 +4,29 @@
 ## <summary>
 ##	Role access for SE-PostgreSQL.
 ## </summary>
-## <param name="user_role">
+## <param name="role_prefix">
 ##	<summary>
-##	The role associated with the user domain.
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
 ##	</summary>
 ## </param>
 ## <param name="user_domain">
 ##	<summary>
-##	The type of the user domain.
+##	User domain for the role.
+##	</summary>
+## </param>
+## <param name="user_exec_domain">
+##	<summary>
+##	User exec domain for execute and transition access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access
 ##	</summary>
 ## </param>
 #
-interface(`postgresql_role',`
+template(`postgresql_role',`
 	gen_require(`
 		class db_database all_db_database_perms;
 		class db_schema all_db_schema_perms;
@@ -46,8 +57,8 @@ interface(`postgresql_role',`
 	#
 
 	typeattribute $2 sepgsql_client_type;
-	role $1 types sepgsql_trusted_proc_t;
-	role $1 types sepgsql_ranged_proc_t;
+	role $4 types sepgsql_trusted_proc_t;
+	role $4 types sepgsql_ranged_proc_t;
 
 	##############################
 	#
@@ -94,6 +105,11 @@ interface(`postgresql_role',`
 
 	allow $2 sepgsql_trusted_proc_t:process transition;
 	type_transition $2 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
+
+	optional_policy(`
+		systemd_user_app_status($1, sepgsql_ranged_proc_t)
+		systemd_user_app_status($1, sepgsql_trusted_proc_t)
+	')
 ')
 
 ########################################