diff options
| author | Robert Haas | 2011-01-24 01:44:48 +0000 |
|---|---|---|
| committer | Robert Haas | 2011-01-24 01:48:27 +0000 |
| commit | 968bc6fac91d6aaca594488ab85c179b686cbbdd (patch) | |
| tree | 3cb8fa7ee4101723733e5ed5a06803f9c299c2d7 /contrib/sepgsql/sepgsql-regtest.te | |
| parent | e5487f65fdbd05716ade642a3ae1c5c6e85b6f22 (diff) | |
sepgsql, an SE-Linux integration for PostgreSQL
This is still pretty rough - among other things, the documentation
needs work, and the messages need a visit from the style police -
but this gets the basic framework in place.
KaiGai Kohei
Diffstat (limited to 'contrib/sepgsql/sepgsql-regtest.te')
| -rw-r--r-- | contrib/sepgsql/sepgsql-regtest.te | 59 |
1 files changed, 59 insertions, 0 deletions
diff --git a/contrib/sepgsql/sepgsql-regtest.te b/contrib/sepgsql/sepgsql-regtest.te new file mode 100644 index 00000000000..66666d0c38a --- /dev/null +++ b/contrib/sepgsql/sepgsql-regtest.te @@ -0,0 +1,59 @@ +policy_module(sepgsql-regtest, 1.01) + +## <desc> +## <p> +## Allow to launch regression test of SE-PostgreSQL +## Don't switch to TRUE in normal cases +## </p> +## </desc> +gen_tunable(sepgsql_regression_test_mode, false) + +# +# Test domains for database administrators +# +role sepgsql_regtest_dba_r; +userdom_base_user_template(sepgsql_regtest_dba) +userdom_manage_home_role(sepgsql_regtest_dba_r, sepgsql_regtest_dba_t) +userdom_write_user_tmp_sockets(sepgsql_regtest_user_t) +optional_policy(` + postgresql_admin(sepgsql_regtest_dba_t, sepgsql_regtest_dba_r) + postgresql_stream_connect(sepgsql_regtest_dba_t) +') +optional_policy(` + unconfined_stream_connect(sepgsql_regtest_dba_t) + unconfined_rw_pipes(sepgsql_regtest_dba_t) +') + +# +# Dummy domain for unpriv users +# +role sepgsql_regtest_user_r; +userdom_base_user_template(sepgsql_regtest_user) +userdom_manage_home_role(sepgsql_regtest_user_r, sepgsql_regtest_user_t) +userdom_write_user_tmp_sockets(sepgsql_regtest_user_t) +optional_policy(` + postgresql_role(sepgsql_regtest_user_r, sepgsql_regtest_user_t) + postgresql_stream_connect(sepgsql_regtest_user_t) +') +optional_policy(` + unconfined_stream_connect(sepgsql_regtest_user_t) + unconfined_rw_pipes(sepgsql_regtest_user_t) +') + +# +# Rules to launch psql in the dummy domains +# +optional_policy(` + gen_require(` + role unconfined_r; + type unconfined_t; + type sepgsql_trusted_proc_t; + ') + tunable_policy(`sepgsql_regression_test_mode',` + allow unconfined_t sepgsql_regtest_dba_t : process { transition }; + allow unconfined_t sepgsql_regtest_user_t : process { transition }; + ') + role unconfined_r types sepgsql_regtest_dba_t; + role unconfined_r types sepgsql_regtest_user_t; + role unconfined_r types sepgsql_trusted_proc_t; +') |