diff --git a/Changelog b/Changelog index 390ea11..ccdaf25 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,4 @@ +- SE-Postgresql updates from KaiGai Kohei. - X object manager revisions from Eamon Walsh. - Added modules: chronyd (Miroslav Grepl) diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te index d95c87e..77ff0c6 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -1,5 +1,5 @@ -policy_module(postgresql, 1.10.1) +policy_module(postgresql, 1.10.2) gen_require(` class db_database all_db_database_perms; @@ -366,10 +366,17 @@ allow sepgsql_admin_type sepgsql_table_type:db_table { create drop getattr setat allow sepgsql_admin_type sepgsql_table_type:db_column { create drop getattr setattr relabelfrom relabelto }; allow sepgsql_admin_type sepgsql_sysobj_table_type:db_tuple { relabelfrom relabelto select update insert delete }; +type_transition sepgsql_admin_type sepgsql_database_type:db_table sepgsql_table_t; + allow sepgsql_admin_type sepgsql_procedure_type:db_procedure { create drop getattr relabelfrom relabelto }; +allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure execute; + +type_transition sepgsql_admin_type sepgsql_database_type:db_procedure sepgsql_proc_exec_t; allow sepgsql_admin_type sepgsql_blob_type:db_blob { create drop getattr setattr relabelfrom relabelto }; +type_transition sepgsql_admin_type sepgsql_database_type:db_blob sepgsql_blob_t; + allow sepgsql_admin_type sepgsql_module_type:db_database install_module; kernel_relabelfrom_unlabeled_database(sepgsql_admin_type)