|
Chris PeBenito |
31b7c0 |
#DESC Postgresql - Database server
|
|
Chris PeBenito |
31b7c0 |
#
|
|
Chris PeBenito |
31b7c0 |
# Author: Russell Coker <russell@coker.com.au>
|
|
Chris PeBenito |
31b7c0 |
# X-Debian-Packages: postgresql
|
|
Chris PeBenito |
31b7c0 |
#
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
#################################
|
|
Chris PeBenito |
31b7c0 |
#
|
|
Chris PeBenito |
31b7c0 |
# Rules for the postgresql_t domain.
|
|
Chris PeBenito |
31b7c0 |
#
|
|
Chris PeBenito |
31b7c0 |
# postgresql_exec_t is the type of the postgresql executable.
|
|
Chris PeBenito |
31b7c0 |
#
|
|
Chris PeBenito |
31b7c0 |
daemon_domain(postgresql)
|
|
Chris PeBenito |
31b7c0 |
allow initrc_t postgresql_exec_t:lnk_file read;
|
|
Chris PeBenito |
31b7c0 |
allow postgresql_t usr_t:file { getattr read };
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
allow postgresql_t postgresql_var_run_t:sock_file create_file_perms;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
ifdef(`distro_debian', `
|
|
Chris PeBenito |
31b7c0 |
can_exec(postgresql_t, initrc_exec_t)
|
|
Chris PeBenito |
31b7c0 |
# gross hack
|
|
Chris PeBenito |
31b7c0 |
domain_auto_trans(dpkg_t, postgresql_exec_t, postgresql_t)
|
|
Chris PeBenito |
31b7c0 |
can_exec(postgresql_t, dpkg_exec_t)
|
|
Chris PeBenito |
31b7c0 |
')
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
dontaudit postgresql_t sysadm_home_dir_t:dir search;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# quiet ps and killall
|
|
Chris PeBenito |
31b7c0 |
dontaudit postgresql_t domain:dir { getattr search };
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# for currect directory of scripts
|
|
Chris PeBenito |
31b7c0 |
allow postgresql_t { var_spool_t cron_spool_t }:dir search;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# capability kill is for shutdown script
|
|
Chris PeBenito |
31b7c0 |
allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config };
|
|
Chris PeBenito |
31b7c0 |
dontaudit postgresql_t self:capability sys_admin;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
etcdir_domain(postgresql)
|
|
Chris PeBenito |
31b7c0 |
type postgresql_db_t, file_type, sysadmfile;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
logdir_domain(postgresql)
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
ifdef(`crond.te', `
|
|
Chris PeBenito |
31b7c0 |
# allow crond to find /usr/lib/postgresql/bin/do.maintenance
|
|
Chris PeBenito |
31b7c0 |
allow crond_t postgresql_db_t:dir search;
|
|
Chris PeBenito |
31b7c0 |
system_crond_entry(postgresql_exec_t, postgresql_t)
|
|
Chris PeBenito |
31b7c0 |
')
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
tmp_domain(postgresql, `', `{ dir file sock_file }')
|
|
Chris PeBenito |
31b7c0 |
file_type_auto_trans(postgresql_t, tmpfs_t, postgresql_tmp_t)
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# Use the network.
|
|
Chris PeBenito |
31b7c0 |
can_network(postgresql_t)
|
|
Chris PeBenito |
31b7c0 |
allow postgresql_t self:fifo_file { getattr read write ioctl };
|
|
Chris PeBenito |
31b7c0 |
allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
|
|
Chris PeBenito |
31b7c0 |
can_unix_connect(postgresql_t, self)
|
|
Chris PeBenito |
31b7c0 |
allow postgresql_t self:unix_dgram_socket create_socket_perms;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
allow postgresql_t self:shm create_shm_perms;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
ifdef(`targeted_policy', `', `
|
|
Chris PeBenito |
31b7c0 |
bool allow_user_postgresql_connect false;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
if (allow_user_postgresql_connect) {
|
|
Chris PeBenito |
31b7c0 |
# allow any user domain to connect to the database server
|
|
Chris PeBenito |
31b7c0 |
can_tcp_connect(userdomain, postgresql_t)
|
|
Chris PeBenito |
31b7c0 |
allow userdomain postgresql_t:unix_stream_socket connectto;
|
|
Chris PeBenito |
31b7c0 |
allow userdomain postgresql_var_run_t:sock_file write;
|
|
Chris PeBenito |
31b7c0 |
allow userdomain postgresql_tmp_t:sock_file write;
|
|
Chris PeBenito |
31b7c0 |
}
|
|
Chris PeBenito |
31b7c0 |
')
|
|
Chris PeBenito |
31b7c0 |
ifdef(`consoletype.te', `
|
|
Chris PeBenito |
31b7c0 |
can_exec(postgresql_t, consoletype_exec_t)
|
|
Chris PeBenito |
31b7c0 |
')
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
ifdef(`hostname.te', `
|
|
Chris PeBenito |
31b7c0 |
can_exec(postgresql_t, hostname_exec_t)
|
|
Chris PeBenito |
31b7c0 |
')
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
allow postgresql_t postgresql_port_t:tcp_socket name_bind;
|
|
Chris PeBenito |
31b7c0 |
allow postgresql_t auth_port_t:tcp_socket name_connect;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
allow postgresql_t { proc_t self }:file { getattr read };
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# Allow access to the postgresql databases
|
|
Chris PeBenito |
31b7c0 |
create_dir_file(postgresql_t, postgresql_db_t)
|
|
Chris PeBenito |
31b7c0 |
file_type_auto_trans(postgresql_t, var_lib_t, postgresql_db_t)
|
|
Chris PeBenito |
31b7c0 |
allow postgresql_t var_lib_t:dir { getattr search };
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# because postgresql start scripts are broken and put the pid file in the DB
|
|
Chris PeBenito |
31b7c0 |
# directory
|
|
Chris PeBenito |
31b7c0 |
rw_dir_file(initrc_t, postgresql_db_t)
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# read config files
|
|
Chris PeBenito |
31b7c0 |
allow postgresql_t { etc_t etc_runtime_t }:{ file lnk_file } { read getattr };
|
|
Chris PeBenito |
31b7c0 |
r_dir_file(initrc_t, postgresql_etc_t)
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
allow postgresql_t etc_t:dir rw_dir_perms;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
read_sysctl(postgresql_t)
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
allow postgresql_t devtty_t:chr_file { read write };
|
|
Chris PeBenito |
31b7c0 |
allow postgresql_t devpts_t:dir search;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
allow postgresql_t { bin_t sbin_t }:dir search;
|
|
Chris PeBenito |
31b7c0 |
allow postgresql_t { bin_t sbin_t }:lnk_file { getattr read };
|
|
Chris PeBenito |
31b7c0 |
allow postgresql_t postgresql_exec_t:lnk_file { getattr read };
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
allow postgresql_t self:sem create_sem_perms;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
allow postgresql_t initrc_var_run_t:file { getattr read lock };
|
|
Chris PeBenito |
31b7c0 |
dontaudit postgresql_t selinux_config_t:dir search;
|
|
Chris PeBenito |
31b7c0 |
allow postgresql_t mail_spool_t:dir search;
|
|
Chris PeBenito |
31b7c0 |
lock_domain(postgresql)
|
|
Chris PeBenito |
31b7c0 |
can_exec(postgresql_t, { shell_exec_t bin_t postgresql_exec_t ls_exec_t } )
|
|
Chris PeBenito |
31b7c0 |
ifdef(`apache.te', `
|
|
Chris PeBenito |
31b7c0 |
#
|
|
Chris PeBenito |
31b7c0 |
# Allow httpd to work with postgresql
|
|
Chris PeBenito |
31b7c0 |
#
|
|
Chris PeBenito |
31b7c0 |
allow httpd_t postgresql_tmp_t:sock_file rw_file_perms;
|
|
Chris PeBenito |
31b7c0 |
can_unix_connect(httpd_t, postgresql_t)
|
|
Chris PeBenito |
31b7c0 |
')
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
ifdef(`distro_gentoo', `
|
|
Chris PeBenito |
31b7c0 |
# "su - postgres ..." is called from initrc_t
|
|
Chris PeBenito |
31b7c0 |
allow initrc_su_t postgresql_db_t:dir search;
|
|
Chris PeBenito |
31b7c0 |
allow postgresql_t initrc_su_t:process sigchld;
|
|
Chris PeBenito |
31b7c0 |
dontaudit initrc_su_t sysadm_devpts_t:chr_file rw_file_perms;
|
|
Chris PeBenito |
31b7c0 |
')
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
dontaudit postgresql_t home_root_t:dir search;
|
|
Chris PeBenito |
31b7c0 |
allow postgresql_t urandom_device_t:chr_file { getattr read };
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
if (allow_execmem) {
|
|
Chris PeBenito |
31b7c0 |
allow postgresql_t self:process execmem;
|
|
Chris PeBenito |
31b7c0 |
}
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
authentication_domain(postgresql_t)
|
|
Chris PeBenito |
31b7c0 |
#
|
|
Chris PeBenito |
31b7c0 |
# postgresql has pam support
|
|
Chris PeBenito |
31b7c0 |
#
|
|
Chris PeBenito |
31b7c0 |
bool allow_postgresql_use_pam false;
|
|
Chris PeBenito |
31b7c0 |
if (allow_postgresql_use_pam) {
|
|
Chris PeBenito |
31b7c0 |
domain_auto_trans(postgresql_t, chkpwd_exec_t, system_chkpwd_t)
|
|
Chris PeBenito |
31b7c0 |
}
|