Allow sysadm to manage postgresql

(Portage version: 2.1.9.25/cvs/Linux x86_64)

3 files changed, 67 insertions, 1 deletions

diff --git a/sec-policy/selinux-postgresql/ChangeLog b/sec-policy/selinux-postgresql/ChangeLog
index 3cc8bef6bbb8..f1ca1a95a26d 100644
--- a/sec-policy/selinux-postgresql/ChangeLog
+++ b/sec-policy/selinux-postgresql/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for sec-policy/selinux-postgresql
 # Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-postgresql/ChangeLog,v 1.28 2011/02/05 12:07:08 blueness Exp $
+# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-postgresql/ChangeLog,v 1.29 2011/03/07 02:53:17 blueness Exp $
+
+*selinux-postgresql-2.20101213-r1 (07 Mar 2011)
+
+  07 Mar 2011; Anthony G. Basile <blueness@gentoo.org>
+  +files/fix-services-postgresql-r1.patch,
+  +selinux-postgresql-2.20101213-r1.ebuild:
+  Allow sysadm to manage postgresql
 
 *selinux-postgresql-2.20101213 (05 Feb 2011)
 
diff --git a/sec-policy/selinux-postgresql/files/fix-services-postgresql-r1.patch b/sec-policy/selinux-postgresql/files/fix-services-postgresql-r1.patch
new file mode 100644
index 000000000000..d0ef3b1238bd
--- /dev/null
+++ b/sec-policy/selinux-postgresql/files/fix-services-postgresql-r1.patch
@@ -0,0 +1,45 @@
+--- services/postgresql.te	2010-12-13 15:11:02.000000000 +0100
++++ services/postgresql.te	2011-02-13 14:36:56.000905046 +0100
+@@ -155,7 +155,7 @@
+ allow postgresql_t self:tcp_socket create_stream_socket_perms;
+ allow postgresql_t self:udp_socket create_stream_socket_perms;
+ allow postgresql_t self:unix_dgram_socket create_socket_perms;
+-allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
++allow postgresql_t self:unix_stream_socket { connectto create_stream_socket_perms };
+ allow postgresql_t self:netlink_selinux_socket create_socket_perms;
+ 
+ allow postgresql_t sepgsql_database_type:db_database *;
+@@ -269,7 +269,8 @@
+ 
+ userdom_dontaudit_use_unpriv_user_fds(postgresql_t)
+ userdom_dontaudit_search_user_home_dirs(postgresql_t)
+-userdom_dontaudit_use_user_terminals(postgresql_t)
++userdom_use_user_terminals(postgresql_t)
++#userdom_dontaudit_use_user_terminals(postgresql_t)
+ 
+ mta_getattr_spool(postgresql_t)
+ 
+--- services/postgresql.fc	2010-08-03 15:11:07.000000000 +0200
++++ services/postgresql.fc	2011-02-13 13:40:48.798905046 +0100
+@@ -5,6 +5,10 @@
+ /etc/rc\.d/init\.d/(se)?postgresql --	gen_context(system_u:object_r:postgresql_initrc_exec_t,s0)
+ /etc/sysconfig/pgsql(/.*)? 		gen_context(system_u:object_r:postgresql_etc_t,s0)
+ 
++ifdef(`distro_gentoo', `
++/etc/postgresql-.*(/.*)?		gen_context(system_u:object_r:postgresql_etc_t,s0)
++')
++
+ #
+ # /usr
+ #
+@@ -23,6 +27,10 @@
+ /usr/share/jonas/pgsql(/.*)?		gen_context(system_u:object_r:postgresql_db_t,s0)
+ ')
+ 
++ifdef(`distro_gentoo', `
++/usr/lib(64)?/postgresql-.*/bin/.*	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
++')
++
+ #
+ # /var
+ #
diff --git a/sec-policy/selinux-postgresql/selinux-postgresql-2.20101213-r1.ebuild b/sec-policy/selinux-postgresql/selinux-postgresql-2.20101213-r1.ebuild
new file mode 100644
index 000000000000..2b80bba822ca
--- /dev/null
+++ b/sec-policy/selinux-postgresql/selinux-postgresql-2.20101213-r1.ebuild
@@ -0,0 +1,14 @@
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-postgresql/selinux-postgresql-2.20101213-r1.ebuild,v 1.1 2011/03/07 02:53:17 blueness Exp $
+
+MODS="postgresql"
+IUSE=""
+
+inherit selinux-policy-2
+
+DESCRIPTION="SELinux policy for PostgreSQL"
+
+KEYWORDS="~amd64 ~x86"
+
+POLICY_PATCH="${FILESDIR}/fix-services-postgresql-r1.patch"