From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Thu, 3 Jan 2013 10:30:41 -0500
Subject: [refpolicy] [PATCH 1/8] Postgresql 9.2 connects to its unix
 stream socket
In-Reply-To: <1355737370-27628-2-git-send-email-sven.vermeulen@siphos.be>
References: <1355737370-27628-1-git-send-email-sven.vermeulen@siphos.be>
	<1355737370-27628-2-git-send-email-sven.vermeulen@siphos.be>
Message-ID: <50E5A421.1060207@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 12/17/12 04:42, Sven Vermeulen wrote:
> When starting postgresql, it fails with the (little saying) error message:
> pg_ctl: could not start server
> 
> In the denials, we notice:
> Nov 24 10:41:52 lerya kernel: [1628900.540506] type=1400
> audit(1353750112.021:10143): avc:  denied  { connectto } for  pid=20481
> comm="pg_ctl" path="/run/postgresql/.s.PGSQL.5432" ipaddr=...
> scontext=system_u:system_r:postgresql_t tcontext=system_u:system_r:postgresql_t
> tclass=unix_stream_socket
> 
> Hence, allow postgresql to connect to its own stream socket.
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/modules/services/postgresql.te |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 
> diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
> index 0210aef..94b1a57 100644
> --- a/policy/modules/services/postgresql.te
> +++ b/policy/modules/services/postgresql.te
> @@ -234,7 +234,7 @@ allow postgresql_t self:shm create_shm_perms;
>  allow postgresql_t self:tcp_socket create_stream_socket_perms;
>  allow postgresql_t self:udp_socket create_stream_socket_perms;
>  allow postgresql_t self:unix_dgram_socket create_socket_perms;
> -allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
> +allow postgresql_t self:unix_stream_socket { create_stream_socket_perms connectto };
>  allow postgresql_t self:netlink_selinux_socket create_socket_perms;
>  tunable_policy(`sepgsql_transmit_client_label',`
>  	allow postgresql_t self:process { setsockcreate };
 
Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com