{"id":20491703,"url":"https://github.com/dalibo/selinux-pgsql-pgdg","last_synced_at":"2025-04-13T16:55:21.733Z","repository":{"id":21031927,"uuid":"24328150","full_name":"dalibo/selinux-pgsql-pgdg","owner":"dalibo","description":"SELinux policy module for PGDG rpms","archived":false,"fork":false,"pushed_at":"2021-01-29T16:12:50.000Z","size":35,"stargazers_count":4,"open_issues_count":0,"forks_count":3,"subscribers_count":17,"default_branch":"master","last_synced_at":"2025-03-27T07:51:35.214Z","etag":null,"topics":["postgresql","security","security-hardening","selinux-policy"],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"postgresql","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dalibo.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2014-09-22T12:43:29.000Z","updated_at":"2021-01-29T16:12:21.000Z","dependencies_parsed_at":"2022-08-31T05:20:30.882Z","dependency_job_id":null,"html_url":"https://github.com/dalibo/selinux-pgsql-pgdg","commit_stats":null,"previous_names":[],"tags_count":6,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dalibo%2Fselinux-pgsql-pgdg","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dalibo%2Fselinux-pgsql-pgdg/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dalibo%2Fselinux-pgsql-pgdg/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dalibo%2Fselinux-pgsql-pgdg/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dalibo","download_url":"https://codeload.github.com/dalibo/selinux-pgsql-pgdg/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248750011,"owners_count":21155682,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["postgresql","security","security-hardening","selinux-policy"],"created_at":"2024-11-15T17:25:37.975Z","updated_at":"2025-04-13T16:55:21.711Z","avatar_url":"https://github.com/dalibo.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# SELinux policy module for the PostgreSQL install of the PGDG\n\nThis modules adds the file contexts needed by the RPM of PostgreSQL\nprovided by the PGDG (e.g. yum.postgresql.org). It requires the\n`postgresql` module of the ref policy, which is enabled by default.\n\n## RedHat Version / Support\n\nVersion up to 1.2.0 support RHEL/Centos 6 (policy version 24)\n\nAs of 1.3.0, it supports RHEL/Centos 7 (policy version 31).\n\nIt does not force you to enable sepgsql.\n\n## Boolean Provided\n\nThis policy provides a `postgresql_pgdg_can_http` similar to `postgresql_can_rsync`\nfrom refpolicy. When enabled, this boolean allows PostgreSQL to use HTTP ports\nin e.g. `archive_command`, `recovery_end_command`, etc.\n\n``` console\n# setsebool postgresql_pgdg_can_http on\n# getsebool postgresql_pgdg_can_http\npostgresql_pgdg_can_http --\u003e on\n#\n```\n\nRead/Write access to watchdog devices is provided by the\n`postgresql_pgdg_use_watchdog` boolean. The purpose of this boolean is\nto allow confining Patroni (a HA framework for PostgreSQL) with the\n`postgresql_t` type. Patroni being in charge of running the\npostmaster.\n\n``` console\n# setsebool postgresql_pgdg_use_watchdog on\n# getsebool postgresql_pgdg_use_watchdog\npostgresql_pgdg_use_watchdog --\u003e on\n#\n```\n\nWhen we want to archive WAL segments on mount NFS filesystem, access\ncan be granted with the `postgresql_pgdg_use_nfs` boolean:\n\n``` console\n# setsebool postgresql_pgdg_use_nfs on\n# getsebool postgresql_pgdg_use_nfs\npostgresql_pgdg_use_nfs --\u003e on\n#\n```\n\nPermanent access shall be granted by setting boolean to on with the\n`semanage boolean` command:\n\n``` console\n# semanage boolean -m --on \u003cboolean\u003e\n```\n\n## Notes\n\nWhen running the postmaster on a TCP port different than 5432, you\nneed to allow it to bind to the port by adding a `semanage port` rule to the\nlocal policy.\n\nAppling `postgresql_t` to Patroni requires to :\n\n* enable `postgresql_pgdg_can_http`\n* label the DCS tcp port with `http_port_t` (tested with Etcd)\n* use a unregistered port for the API of Patroni and label it with `postgresql_port_t`\n\n\n# License\n\nThis is free software distributed under the PostgreSQL license.\n\nCopyright (c) 2014-2020 Dalibo.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdalibo%2Fselinux-pgsql-pgdg","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdalibo%2Fselinux-pgsql-pgdg","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdalibo%2Fselinux-pgsql-pgdg/lists"}