1 |
commit: 308888a12ee5791053d6d80cfc49fc620b54ba83 |
2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
3 |
AuthorDate: Thu Aug 16 18:20:03 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Thu Aug 16 18:20:03 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=308888a1 |
7 |
|
8 |
Support executing postgresql utilities without transition |
9 |
|
10 |
Clients that want to interact with postgresql need execute privileges on the |
11 |
commands, but do not require domain transitions. |
12 |
|
13 |
--- |
14 |
policy/modules/services/postgresql.if | 18 ++++++++++++++++++ |
15 |
1 files changed, 18 insertions(+), 0 deletions(-) |
16 |
|
17 |
diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if |
18 |
index ecef19f..81f87bd 100644 |
19 |
--- a/policy/modules/services/postgresql.if |
20 |
+++ b/policy/modules/services/postgresql.if |
21 |
@@ -334,6 +334,24 @@ interface(`postgresql_manage_db',` |
22 |
allow $1 postgresql_db_t:lnk_file { getattr read }; |
23 |
') |
24 |
|
25 |
+####################################### |
26 |
+## <summary> |
27 |
+## Execute postgresql in the calling domain. |
28 |
+## </summary> |
29 |
+## <param name="domain"> |
30 |
+## <summary> |
31 |
+## Domain allowed access |
32 |
+## </summary> |
33 |
+## </param> |
34 |
+# |
35 |
+interface(`postgresql_exec',` |
36 |
+ gen_require(` |
37 |
+ type postgresql_exec_t; |
38 |
+ ') |
39 |
+ |
40 |
+ can_exec($1, postgresql_exec_t); |
41 |
+') |
42 |
+ |
43 |
######################################## |
44 |
## <summary> |
45 |
## Execute postgresql in the postgresql domain. |