https://github.com/dalibo/selinux-pgsql-pgdg

SELinux policy module for PGDG rpms
https://github.com/dalibo/selinux-pgsql-pgdg

postgresql security security-hardening selinux-policy

Last synced: about 1 year ago
JSON representation

SELinux policy module for PGDG rpms

• Host: GitHub
• URL: https://github.com/dalibo/selinux-pgsql-pgdg
• Owner: dalibo
• License: postgresql
• Created: 2014-09-22T12:43:29.000Z (over 11 years ago)
• Default Branch: master
• Last Pushed: 2021-01-29T16:12:50.000Z (over 5 years ago)
• Last Synced: 2025-03-27T07:51:35.214Z (about 1 year ago)
• Topics: postgresql, security, security-hardening, selinux-policy
• Language: Shell
• Size: 34.2 KB
• Stars: 4
• Watchers: 17
• Forks: 3
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# SELinux policy module for the PostgreSQL install of the PGDG

This modules adds the file contexts needed by the RPM of PostgreSQL

provided by the PGDG (e.g. yum.postgresql.org). It requires the

`postgresql` module of the ref policy, which is enabled by default.

## RedHat Version / Support

Version up to 1.2.0 support RHEL/Centos 6 (policy version 24)

As of 1.3.0, it supports RHEL/Centos 7 (policy version 31).

It does not force you to enable sepgsql.

## Boolean Provided

This policy provides a `postgresql_pgdg_can_http` similar to `postgresql_can_rsync`

from refpolicy. When enabled, this boolean allows PostgreSQL to use HTTP ports

in e.g. `archive_command`, `recovery_end_command`, etc.

``` console

# setsebool postgresql_pgdg_can_http on

# getsebool postgresql_pgdg_can_http

postgresql_pgdg_can_http --> on

#

```

Read/Write access to watchdog devices is provided by the

`postgresql_pgdg_use_watchdog` boolean. The purpose of this boolean is

to allow confining Patroni (a HA framework for PostgreSQL) with the

`postgresql_t` type. Patroni being in charge of running the

postmaster.

``` console

# setsebool postgresql_pgdg_use_watchdog on

# getsebool postgresql_pgdg_use_watchdog

postgresql_pgdg_use_watchdog --> on

#

```

When we want to archive WAL segments on mount NFS filesystem, access

can be granted with the `postgresql_pgdg_use_nfs` boolean:

``` console

# setsebool postgresql_pgdg_use_nfs on

# getsebool postgresql_pgdg_use_nfs

postgresql_pgdg_use_nfs --> on

#

```

Permanent access shall be granted by setting boolean to on with the

`semanage boolean` command:

``` console

# semanage boolean -m --on 

```

## Notes

When running the postmaster on a TCP port different than 5432, you

need to allow it to bind to the port by adding a `semanage port` rule to the

local policy.

Appling `postgresql_t` to Patroni requires to :

* enable `postgresql_pgdg_can_http`

* label the DCS tcp port with `http_port_t` (tested with Etcd)

* use a unregistered port for the API of Patroni and label it with `postgresql_port_t`

# License

This is free software distributed under the PostgreSQL license.

Copyright (c) 2014-2020 Dalibo.