postgresql, roles: use user exec domain attribute
Signed-off-by: Kenton Groombridge <me@concord.sh>
This commit is contained in:
Kenton Groombridge
parent
48a7d3db51
commit
86462c81ec
|
|
@ -37,7 +37,7 @@ optional_policy(`
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
postgresql_role(staff_r, staff_t)
|
||||
postgresql_role(staff, staff_t, staff_application_exec_domain, staff_r)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
|
|||
|
|
@ -119,7 +119,7 @@ ifndef(`distro_redhat',`
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
postgresql_role(user_r, user_t)
|
||||
postgresql_role(user, user_t, user_application_exec_domain, user_r)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
|
|||
|
|
@ -4,18 +4,29 @@
|
|||
## <summary>
|
||||
## Role access for SE-PostgreSQL.
|
||||
## </summary>
|
||||
## <param name="user_role">
|
||||
## <param name="role_prefix">
|
||||
## <summary>
|
||||
## The role associated with the user domain.
|
||||
## The prefix of the user role (e.g., user
|
||||
## is the prefix for user_r).
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="user_domain">
|
||||
## <summary>
|
||||
## The type of the user domain.
|
||||
## User domain for the role.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="user_exec_domain">
|
||||
## <summary>
|
||||
## User exec domain for execute and transition access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## Role allowed access
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`postgresql_role',`
|
||||
template(`postgresql_role',`
|
||||
gen_require(`
|
||||
class db_database all_db_database_perms;
|
||||
class db_schema all_db_schema_perms;
|
||||
|
|
@ -46,8 +57,8 @@ interface(`postgresql_role',`
|
|||
#
|
||||
|
||||
typeattribute $2 sepgsql_client_type;
|
||||
role $1 types sepgsql_trusted_proc_t;
|
||||
role $1 types sepgsql_ranged_proc_t;
|
||||
role $4 types sepgsql_trusted_proc_t;
|
||||
role $4 types sepgsql_ranged_proc_t;
|
||||
|
||||
##############################
|
||||
#
|
||||
|
|
@ -94,6 +105,11 @@ interface(`postgresql_role',`
|
|||
|
||||
allow $2 sepgsql_trusted_proc_t:process transition;
|
||||
type_transition $2 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
|
||||
|
||||
optional_policy(`
|
||||
systemd_user_app_status($1, sepgsql_ranged_proc_t)
|
||||
systemd_user_app_status($1, sepgsql_trusted_proc_t)
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
|
|||
Loading…
Reference in New Issue