[selinux-policy: 2612/3172] [BUGFIX] lack of type transition on dbadm domain (Re: dbadm.pp is not available in selinux-policy pa

[Daniel J Walsh]

commit ec8d32c8e9afc7ddb56e4ceb9f61d60e2a01c3ea
Author: KaiGai Kohei <kaigai at ak.jp.nec.com>
Date:   Mon Apr 12 10:14:10 2010 -0400

    [BUGFIX] lack of type transition on dbadm domain (Re: dbadm.pp is not available in selinux-policy package)
    
    I found out a bug when we initialize the database with dbadm_r:dbadm_t
    which belongs to sepgsql_admin_type attribute.
    
    In the case when sepgsql_admin_type create a new database objects,
    it does not have valid type_transition rules. So, it was failed.
    Sorry, I didn't find out it for a long time.
    
    And db_procedure:{execute} on the sepgsql_proc_exec_t might be necessary
    for the administrative domain independently from sepgsql_unconfined_dbadm,
    because we need to execute some of system defined procedures to look up
    system tables.

 Changelog                             |    1 +
 policy/modules/services/postgresql.te |    9 ++++++++-
 2 files changed, 9 insertions(+), 1 deletions(-)
---
diff --git a/Changelog b/Changelog
index 390ea11..ccdaf25 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- SE-Postgresql updates from KaiGai Kohei.
 - X object manager revisions from Eamon Walsh.
 - Added modules:
 	chronyd (Miroslav Grepl)
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index d95c87e..77ff0c6 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -1,5 +1,5 @@
 
-policy_module(postgresql, 1.10.1)
+policy_module(postgresql, 1.10.2)
 
 gen_require(`
 	class db_database all_db_database_perms;
@@ -366,10 +366,17 @@ allow sepgsql_admin_type sepgsql_table_type:db_table { create drop getattr setat
 allow sepgsql_admin_type sepgsql_table_type:db_column { create drop getattr setattr relabelfrom relabelto };
 allow sepgsql_admin_type sepgsql_sysobj_table_type:db_tuple { relabelfrom relabelto select update insert delete };
 
+type_transition sepgsql_admin_type sepgsql_database_type:db_table sepgsql_table_t;
+
 allow sepgsql_admin_type sepgsql_procedure_type:db_procedure { create drop getattr relabelfrom relabelto };
+allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure execute;
+
+type_transition sepgsql_admin_type sepgsql_database_type:db_procedure sepgsql_proc_exec_t;
 
 allow sepgsql_admin_type sepgsql_blob_type:db_blob { create drop getattr setattr relabelfrom relabelto };
 
+type_transition sepgsql_admin_type sepgsql_database_type:db_blob sepgsql_blob_t;
+
 allow sepgsql_admin_type sepgsql_module_type:db_database install_module;
 
 kernel_relabelfrom_unlabeled_database(sepgsql_admin_type)