Hi everybody,
I have seen this topic pop up on this ML previously but without much traction. However I'll try it again ;)
I'm building PostgreSQL setup with PGPool-II replication and PITR. After some tinkering I've arrived at a module with contents:
===pgsql-pitr.te===
module pgsql-pitr 1.7;
require { type ssh_home_t; type ssh_port_t; type ssh_exec_t; type rsync_exec_t; type postgresql_t; class tcp_socket name_connect; class file { getattr execute read open execute_no_trans }; class dir { search getattr }; }
allow postgresql_t rsync_exec_t:file { read open execute_no_trans getattr execute };
allow postgresql_t ssh_exec_t:file { read open execute execute_no_trans };
allow postgresql_t ssh_home_t:dir { search getattr }; allow postgresql_t ssh_home_t:file { read open getattr };
allow postgresql_t ssh_port_t:tcp_socket name_connect;
===end of pgsql-pitr.te===
All of the above to allow me to launch rsync as an "archive_command" from postgres an copy WAL files from primary over to secondary, generated from auditd messages thus very specific. I could probably drop the rsync part and go with scp alone but that won't change what I'm about to ask.
What I really wander about is - above I've opened up quite a few things that are very specific to this mode of operation, however I can't believe I'm in a situation nobody else have been before and there are no booleans/tunables for most of things outlined above. So is there a way to make above utilize existing hooks or is it "as good as it gets"?