-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/18/2012 06:03 PM, Dmitry Makovey wrote: > Hi Dominick, > > thanks for your reply, see responses below: > > On September 18, 2012 22:31:02 Dominick Grift wrote: >> On Tue, 2012-09-18 at 13:32 -0600, Dmitry Makovey wrote: >>> What I really wander about is - above I've opened up quite a few >>> things that are very specific to this mode of operation, however I >>> can't believe I'm in a situation nobody else have been before and there >>> are no booleans/tunables for most of things outlined above. So is there >>> a way to make above utilize existing hooks or is it "as good as it >>> gets"? >> >> Hi >> >> This actually looks pretty good in this case and well suited for a >> boolean in the postgresql policy in my opinion. > > good to know it's not just me who thinks that way :) > >> Currently this is indeed not supported by the policy it seems. >> >> Why not file a bugzilla report as a feature request? > > https://bugzilla.redhat.com/show_bug.cgi?id=858406 > How about something like this? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBZp68ACgkQrlYvE4MpobNuUwCg4J5K2/hp2SKtErkD9QDz7zKQ HDgAoN60dC2w8HxHXslnjNKZjT4LjezZ =c99A -----END PGP SIGNATURE-----
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te index be995df..85b7256 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -20,6 +20,13 @@ gen_require(` ## <desc> ## <p> +## Allow postgresql to use ssh and rsync to replicate databases +## </p> +## </desc> +gen_tunable(postgesql_replication, false) + +## <desc> +## <p> ## Allow unprivileged users to execute DDL statement ## </p> ## </desc> @@ -585,3 +592,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *; allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module; kernel_relabelfrom_unlabeled_database(sepgsql_unconfined_type) + +optional_policy(` + tunable_policy(`postgresql_replication',` + rsync_exec(postgresql_t) + ') +') + +optional_policy(` + tunable_policy(`postgresql_replication',` + ssh_exec(postgresql_t) + ssh_read_user_home_files(postgresql_t) + corenet_tcp_connect_ssh_port(postgresql_t) + ') +')
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
