From: aranea@aixah.de (Luis Ressel)
Date: Sun, 21 Jan 2018 17:56:03 +0100
Subject: [refpolicy] [PATCH] postgres: Add neccessary map permissions
Message-ID: <20180121165603.1665-1-aranea@aixah.de>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

I'm also removing pg's permission to open hugetlbfs_t files, since it
doesn't make any sense.
---
 policy/modules/kernel/filesystem.if   | 18 ++++++++++++++++++
 policy/modules/services/postgresql.te |  3 ++-
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 41f19619..e2a58d8e 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -2322,6 +2322,24 @@ interface(`fs_rw_inherited_hugetlbfs_files',`
 	allow $1 hugetlbfs_t:file rw_inherited_file_perms;
 ')
 
+########################################
+## <summary>
+##	Read and write inherited hugetlbfs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_mmap_rw_inherited_hugetlbfs_files',`
+	gen_require(`
+		type hugetlbfs_t;
+	')
+
+	allow $1 hugetlbfs_t:file mmap_rw_inherited_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read and write hugetlbfs files.
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index f118d9d0..97a9d153 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -297,6 +297,7 @@ manage_fifo_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
 manage_sock_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
 files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file })
 fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file })
+allow postgresql_t postgresql_tmp_t:file map;
 
 manage_dirs_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t)
 manage_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t)
@@ -330,7 +331,7 @@ dev_read_urand(postgresql_t)
 
 fs_getattr_all_fs(postgresql_t)
 fs_search_auto_mountpoints(postgresql_t)
-fs_rw_hugetlbfs_files(postgresql_t)
+fs_mmap_rw_inherited_hugetlbfs_files(postgresql_t)
 
 selinux_get_enforce_mode(postgresql_t)
 selinux_validate_context(postgresql_t)
-- 
2.15.1