From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Mon, 17 Dec 2012 10:42:43 +0100 Subject: [refpolicy] [PATCH 1/8] Postgresql 9.2 connects to its unix stream socket In-Reply-To: <1355737370-27628-1-git-send-email-sven.vermeulen@siphos.be> References: <1355737370-27628-1-git-send-email-sven.vermeulen@siphos.be> Message-ID: <1355737370-27628-2-git-send-email-sven.vermeulen@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com When starting postgresql, it fails with the (little saying) error message: pg_ctl: could not start server In the denials, we notice: Nov 24 10:41:52 lerya kernel: [1628900.540506] type=1400 audit(1353750112.021:10143): avc: denied { connectto } for pid=20481 comm="pg_ctl" path="/run/postgresql/.s.PGSQL.5432" ipaddr=... scontext=system_u:system_r:postgresql_t tcontext=system_u:system_r:postgresql_t tclass=unix_stream_socket Hence, allow postgresql to connect to its own stream socket. Signed-off-by: Sven Vermeulen --- policy/modules/services/postgresql.te | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te index 0210aef..94b1a57 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -234,7 +234,7 @@ allow postgresql_t self:shm create_shm_perms; allow postgresql_t self:tcp_socket create_stream_socket_perms; allow postgresql_t self:udp_socket create_stream_socket_perms; allow postgresql_t self:unix_dgram_socket create_socket_perms; -allow postgresql_t self:unix_stream_socket create_stream_socket_perms; +allow postgresql_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow postgresql_t self:netlink_selinux_socket create_socket_perms; tunable_policy(`sepgsql_transmit_client_label',` allow postgresql_t self:process { setsockcreate }; -- 1.7.8.6