1 |
commit: 51abb9d4bde449ab072cd8d922d22b89758ad823 |
2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
3 |
AuthorDate: Sun Nov 25 21:38:04 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Sun Nov 25 21:38:19 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=51abb9d4 |
7 |
|
8 |
Postgresql 9.2 connects to its unix stream socket |
9 |
|
10 |
When starting postgresql, it fails with the (little saying) error message: |
11 |
pg_ctl: could not start server |
12 |
|
13 |
In the denials, we notice: |
14 |
Nov 24 10:41:52 lerya kernel: [1628900.540506] type=1400 |
15 |
audit(1353750112.021:10143): avc: denied { connectto } for pid=20481 |
16 |
comm="pg_ctl" path="/run/postgresql/.s.PGSQL.5432" ipaddr=... |
17 |
scontext=system_u:system_r:postgresql_t tcontext=system_u:system_r:postgresql_t |
18 |
tclass=unix_stream_socket |
19 |
|
20 |
Hence, allow postgresql to connect to its own stream socket. |
21 |
|
22 |
See also bug #444540 |
23 |
|
24 |
--- |
25 |
policy/modules/services/postgresql.te | 4 ++++ |
26 |
1 files changed, 4 insertions(+), 0 deletions(-) |
27 |
|
28 |
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te |
29 |
index 0210aef..906a2c1 100644 |
30 |
--- a/policy/modules/services/postgresql.te |
31 |
+++ b/policy/modules/services/postgresql.te |
32 |
@@ -363,6 +363,10 @@ userdom_dontaudit_use_unpriv_user_fds(postgresql_t) |
33 |
userdom_dontaudit_search_user_home_dirs(postgresql_t) |
34 |
userdom_dontaudit_use_user_terminals(postgresql_t) |
35 |
|
36 |
+ifdef(`distro_gentoo',` |
37 |
+ allow postgresql_t self:unix_stream_socket connectto; |
38 |
+') |
39 |
+ |
40 |
optional_policy(` |
41 |
mta_getattr_spool(postgresql_t) |
42 |
') |