From: aranea@aixah.de (Luis Ressel)
Date: Sun, 17 Nov 2013 13:52:57 +0100
Subject: [refpolicy] [PATCH] Only label administrative postgres commands as
	postgresql_exec_t
Message-ID: <1384692777-9505-1-git-send-email-aranea@aixah.de>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Currently, all postgresql commands in are labeled as postgresql_exec_t.
This means they can only be executed by db admins. However, the "normal"
commands, such as createdb or psql, should also be executable by users.
(The users in question still need to be granted postgresql_role(), so
this is no security problem.)

I only changed this behavior in the gentoo-specific part of the policy,
however other distros might want to have a look at this.
---
 policy/modules/services/postgresql.fc | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc
index a26f84f..bf28911 100644
--- a/policy/modules/services/postgresql.fc
+++ b/policy/modules/services/postgresql.fc
@@ -46,3 +46,21 @@ ifdef(`distro_redhat', `
 /var/run/postgresql(/.*)?		gen_context(system_u:object_r:postgresql_var_run_t,s0)
 
 /var/run/postmaster.*			gen_context(system_u:object_r:postgresql_var_run_t,s0)
+
+ifdef(`distro_gentoo',`
+/etc/init\.d/postgresql-.*	--	gen_context(system_u:object_r:postgresql_initrc_exec_t,s0)
+
+/etc/postgresql-.*(/.*)?		gen_context(system_u:object_r:postgresql_etc_t,s0)
+
+/usr/lib/postgresql-.*/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/postgresql-.*/bin/pg_archivecleanup	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql-.*/bin/pg_basebackup	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql-.*/bin/pg_controldata	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql-.*/bin/pg_ctl		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql-.*/bin/pg_resetxlog		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql-.*/bin/pg_standby		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql-.*/bin/pg_upgrade		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql-.*/bin/pg_xlogdump		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql-.*/bin/postgres		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql-.*/bin/postmaster		-l	gen_context(system_u:object_r:postgresql_exec_t,s0)
+')
-- 
1.8.4.3