postgresql-pgdg.te

policy_module(postgresql-pgdg, 1.5.0)

require {
        type postgresql_t;
}

## <desc>
##	<p>
##	Determine whether PostgreSQL can query on HTTP ports.
##	</p>
## </desc>
gen_tunable(postgresql_pgdg_can_http, false)

tunable_policy(`postgresql_pgdg_can_http',`
    corenet_tcp_connect_http_port(postgresql_t)
    corenet_tcp_sendrecv_http_port(postgresql_t)
')

## <desc>
##      <p>
##      Allow PostgreSQL/Patroni to access Watchdog devices
##      </p>
## </desc>
gen_tunable(postgresql_pgdg_use_watchdog, false)

tunable_policy(`postgresql_pgdg_use_watchdog',`
    dev_read_watchdog(postgresql_t)
    dev_write_watchdog(postgresql_t)
')

## <desc>
##     <p>
##     Allow PostgreSQL to use NFS filesystems
##     </p>
## </desc>
gen_tunable(postgresql_pgdg_use_nfs, false)

tunable_policy(`postgresql_pgdg_use_nfs',`
    fs_manage_nfs_dirs(postgresql_t)
    fs_manage_nfs_files(postgresql_t)
    fs_manage_nfs_symlinks(postgresql_t)
')

## <desc>
##     <p>
##     Allow PostgreSQL to use FUSE filesystems
##     </p>
## </desc>
gen_tunable(postgresql_pgdg_use_fusefs, false)

tunable_policy(`postgresql_pgdg_use_fusefs',`
    fs_manage_fusefs_dirs(postgresql_t)
    fs_manage_fusefs_files(postgresql_t)
')

files_read_all_symlinks(postgresql_t)
libs_exec_ldconfig(postgresql_t)