selinux-refpolicy/targeted/domains/program/postgresql.te

139 lines
4.1 KiB
Plaintext

#DESC Postgresql - Database server
#
# Author: Russell Coker <russell@coker.com.au>
# X-Debian-Packages: postgresql
#
#################################
#
# Rules for the postgresql_t domain.
#
# postgresql_exec_t is the type of the postgresql executable.
#
daemon_domain(postgresql)
allow initrc_t postgresql_exec_t:lnk_file read;
allow postgresql_t usr_t:file { getattr read };
allow postgresql_t postgresql_var_run_t:sock_file create_file_perms;
ifdef(`distro_debian', `
can_exec(postgresql_t, initrc_exec_t)
# gross hack
domain_auto_trans(dpkg_t, postgresql_exec_t, postgresql_t)
can_exec(postgresql_t, dpkg_exec_t)
')
dontaudit postgresql_t sysadm_home_dir_t:dir search;
# quiet ps and killall
dontaudit postgresql_t domain:dir { getattr search };
# for currect directory of scripts
allow postgresql_t { var_spool_t cron_spool_t }:dir search;
# capability kill is for shutdown script
allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config };
dontaudit postgresql_t self:capability sys_admin;
etcdir_domain(postgresql)
type postgresql_db_t, file_type, sysadmfile;
logdir_domain(postgresql)
ifdef(`crond.te', `
# allow crond to find /usr/lib/postgresql/bin/do.maintenance
allow crond_t postgresql_db_t:dir search;
system_crond_entry(postgresql_exec_t, postgresql_t)
')
tmp_domain(postgresql, `', `{ dir file sock_file }')
file_type_auto_trans(postgresql_t, tmpfs_t, postgresql_tmp_t)
# Use the network.
can_network(postgresql_t)
can_ypbind(postgresql_t)
allow postgresql_t self:fifo_file { getattr read write ioctl };
allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
can_unix_connect(postgresql_t, self)
allow postgresql_t self:unix_dgram_socket create_socket_perms;
allow postgresql_t self:shm create_shm_perms;
ifdef(`targeted_policy', `', `
bool allow_user_postgresql_connect false;
if (allow_user_postgresql_connect) {
# allow any user domain to connect to the database server
can_tcp_connect(userdomain, postgresql_t)
allow userdomain postgresql_t:unix_stream_socket connectto;
allow userdomain postgresql_var_run_t:sock_file write;
allow userdomain postgresql_tmp_t:sock_file write;
}
')
ifdef(`consoletype.te', `
can_exec(postgresql_t, consoletype_exec_t)
')
ifdef(`hostname.te', `
can_exec(postgresql_t, hostname_exec_t)
')
allow postgresql_t postgresql_port_t:tcp_socket name_bind;
allow postgresql_t auth_port_t:tcp_socket name_connect;
allow postgresql_t { proc_t self }:file { getattr read };
# Allow access to the postgresql databases
create_dir_file(postgresql_t, postgresql_db_t)
file_type_auto_trans(postgresql_t, var_lib_t, postgresql_db_t)
allow postgresql_t var_lib_t:dir { getattr search };
# because postgresql start scripts are broken and put the pid file in the DB
# directory
rw_dir_file(initrc_t, postgresql_db_t)
# read config files
allow postgresql_t { etc_t etc_runtime_t }:{ file lnk_file } { read getattr };
r_dir_file(initrc_t, postgresql_etc_t)
allow postgresql_t etc_t:dir rw_dir_perms;
read_sysctl(postgresql_t)
allow postgresql_t devtty_t:chr_file { read write };
allow postgresql_t devpts_t:dir search;
allow postgresql_t { bin_t sbin_t }:dir search;
allow postgresql_t { bin_t sbin_t }:lnk_file { getattr read };
allow postgresql_t postgresql_exec_t:lnk_file { getattr read };
allow postgresql_t self:sem create_sem_perms;
allow postgresql_t initrc_var_run_t:file { getattr read lock };
dontaudit postgresql_t selinux_config_t:dir search;
allow postgresql_t mail_spool_t:dir search;
lock_domain(postgresql)
can_exec(postgresql_t, { shell_exec_t bin_t postgresql_exec_t ls_exec_t } )
ifdef(`apache.te', `
#
# Allow httpd to work with postgresql
#
allow httpd_t postgresql_tmp_t:sock_file rw_file_perms;
can_unix_connect(httpd_t, postgresql_t)
')
ifdef(`distro_gentoo', `
# "su - postgres ..." is called from initrc_t
allow initrc_su_t postgresql_db_t:dir search;
allow postgresql_t initrc_su_t:process sigchld;
dontaudit initrc_su_t sysadm_devpts_t:chr_file rw_file_perms;
')
dontaudit postgresql_t home_root_t:dir search;
can_kerberos(postgresql_t)
allow postgresql_t urandom_device_t:chr_file { getattr read };
if (allow_execmem) {
allow postgresql_t self:process execmem;
}