From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Sat, 6 Oct 2012 16:23:30 +0200
Subject: [refpolicy] [PATCH 1/1] Allow search within postgresql var
 directory for the stream connect interface
Message-ID: <20121006142330.GA2856@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Domains that are granted postgresql_stream_connect() need to be able to search
through the postgresql_var_run_t directory (in which the socket is located).

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/services/postgresql.if |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
index ecef19f..79ccc90 100644
--- a/policy/modules/services/postgresql.if
+++ b/policy/modules/services/postgresql.if
@@ -431,6 +431,7 @@ interface(`postgresql_stream_connect',`
 	files_search_pids($1)
 	allow $1 postgresql_t:unix_stream_socket connectto;
 	allow $1 postgresql_var_run_t:sock_file write;
+	allow $1 postgresql_var_run_t:dir search_dir_perms;
 	# Some versions of postgresql put the sock file in /tmp
 	allow $1 postgresql_tmp_t:sock_file write;
 ')
-- 
1.7.8.6