PostgreSQL PITR & SELinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi everybody,

I have seen this topic pop up on this ML previously but without much traction. 
However I'll try it again ;)

I'm building PostgreSQL setup with PGPool-II replication and PITR. After some 
tinkering I've arrived at a module with contents:

===pgsql-pitr.te===

module pgsql-pitr 1.7;

require {
        type ssh_home_t;
        type ssh_port_t;
        type ssh_exec_t;
        type rsync_exec_t;
        type postgresql_t;
        class tcp_socket name_connect;
        class file { getattr execute read open execute_no_trans };
        class dir { search getattr };
}

allow postgresql_t rsync_exec_t:file { read open execute_no_trans getattr 
execute };

allow postgresql_t ssh_exec_t:file { read open execute execute_no_trans };

allow postgresql_t ssh_home_t:dir { search getattr };
allow postgresql_t ssh_home_t:file { read open getattr };

allow postgresql_t ssh_port_t:tcp_socket name_connect;

===end of pgsql-pitr.te===

All of the above to allow me to launch rsync as an "archive_command" from 
postgres an copy WAL files from primary over to secondary, generated from 
auditd messages thus very specific. I could probably drop the rsync part and 
go with scp alone but that won't change what I'm about to ask.

What I really wander about is - above I've opened up quite a few things that 
are very specific to this mode of operation, however I can't believe I'm in a 
situation nobody else have been before and there are no booleans/tunables for 
most of things outlined above. So is there a way to make above utilize 
existing hooks or is it "as good as it gets"?

-- 
Dmitry Makovey
Web Systems Administrator
Athabasca University
(780) 675-6245
---
Confidence is what you have before you understand the problem
    Woody Allen

When in trouble when in doubt run in circles scream and shout 
     http://www.wordwizard.com/phpbb3/viewtopic.php?f=16&t=19330


-- 
    This communication is intended for the use of the recipient to whom it
    is addressed, and may contain confidential, personal, and or privileged
    information. Please contact us immediately if you are not the intended
    recipient of this communication, and do not copy, distribute, or take
    action relying on it. Any communications received in error, or
    subsequent reply, should be deleted or destroyed.
---
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux