Linux Archive

Linux Archive (
-   Fedora SELinux Support (
-   -   PostgreSQL PITR & SELinux (

Dmitry Makovey 09-18-2012 07:32 PM

PostgreSQL PITR & SELinux
Hi everybody,

I have seen this topic pop up on this ML previously but without much traction.
However I'll try it again ;)

I'm building PostgreSQL setup with PGPool-II replication and PITR. After some
tinkering I've arrived at a module with contents:


module pgsql-pitr 1.7;

require {
type ssh_home_t;
type ssh_port_t;
type ssh_exec_t;
type rsync_exec_t;
type postgresql_t;
class tcp_socket name_connect;
class file { getattr execute read open execute_no_trans };
class dir { search getattr };

allow postgresql_t rsync_exec_t:file { read open execute_no_trans getattr
execute };

allow postgresql_t ssh_exec_t:file { read open execute execute_no_trans };

allow postgresql_t ssh_home_t:dir { search getattr };
allow postgresql_t ssh_home_t:file { read open getattr };

allow postgresql_t ssh_port_t:tcp_socket name_connect;

===end of pgsql-pitr.te===

All of the above to allow me to launch rsync as an "archive_command" from
postgres an copy WAL files from primary over to secondary, generated from
auditd messages thus very specific. I could probably drop the rsync part and
go with scp alone but that won't change what I'm about to ask.

What I really wander about is - above I've opened up quite a few things that
are very specific to this mode of operation, however I can't believe I'm in a
situation nobody else have been before and there are no booleans/tunables for
most of things outlined above. So is there a way to make above utilize
existing hooks or is it "as good as it gets"?

Dmitry Makovey
Web Systems Administrator
Athabasca University
(780) 675-6245
Confidence is what you have before you understand the problem
Woody Allen

When in trouble when in doubt run in circles scream and shout

This communication is intended for the use of the recipient to whom it
is addressed, and may contain confidential, personal, and or privileged
information. Please contact us immediately if you are not the intended
recipient of this communication, and do not copy, distribute, or take
action relying on it. Any communications received in error, or
subsequent reply, should be deleted or destroyed.
selinux mailing list

All times are GMT. The time now is 04:34 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.