SELinux policy module for PGDG rpms
This modules adds the file contexts needed by the RPM of PostgreSQL
provided by the PGDG (e.g. yum.postgresql.org). It requires thepostgresql
module of the ref policy, which is enabled by default.
Version up to 1.2.0 support RHEL/Centos 6 (policy version 24)
As of 1.3.0, it supports RHEL/Centos 7 (policy version 31).
It does not force you to enable sepgsql.
This policy provides a postgresql_pgdg_can_http
similar to postgresql_can_rsync
from refpolicy. When enabled, this boolean allows PostgreSQL to use HTTP ports
in e.g. archive_command
, recovery_end_command
, etc.
# setsebool postgresql_pgdg_can_http on
# getsebool postgresql_pgdg_can_http
postgresql_pgdg_can_http --> on
#
Read/Write access to watchdog devices is provided by thepostgresql_pgdg_use_watchdog
boolean. The purpose of this boolean is
to allow confining Patroni (a HA framework for PostgreSQL) with thepostgresql_t
type. Patroni being in charge of running the
postmaster.
# setsebool postgresql_pgdg_use_watchdog on
# getsebool postgresql_pgdg_use_watchdog
postgresql_pgdg_use_watchdog --> on
#
When we want to archive WAL segments on mount NFS filesystem, access
can be granted with the postgresql_pgdg_use_nfs
boolean:
# setsebool postgresql_pgdg_use_nfs on
# getsebool postgresql_pgdg_use_nfs
postgresql_pgdg_use_nfs --> on
#
Permanent access shall be granted by setting boolean to on with thesemanage boolean
command:
# semanage boolean -m --on <boolean>
When running the postmaster on a TCP port different than 5432, you
need to allow it to bind to the port by adding a semanage port
rule to the
local policy.
Appling postgresql_t
to Patroni requires to :
postgresql_pgdg_can_http
http_port_t
(tested with Etcd)postgresql_port_t
This is free software distributed under the PostgreSQL license.
Copyright (c) 2014-2020 Dalibo.