[selinux-policy: 3061/3172] Tunable, optional and if(n)def blocks go below.

Thu Oct 7 23:32:21 UTC 2010

commit b46b3ad67f5649a4394fce79de900d08f46b603a
Author: Dominick Grift <domg472 at gmail.com>
Date:   Mon Sep 20 19:50:51 2010 +0200

    Tunable, optional and if(n)def blocks go below.
    
    Tunable, optional and if(n)def blocks go below.

 policy/modules/services/postgresql.if |   30 +++++++++++++++---------------
 1 files changed, 15 insertions(+), 15 deletions(-)
---

diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
index f8924b6..ac2d3e7 100644
--- a/policy/modules/services/postgresql.if
+++ b/policy/modules/services/postgresql.if
@@ -45,14 +45,6 @@ interface(`postgresql_role',`
 	# Client local policy
 	#
 
-	tunable_policy(`sepgsql_enable_users_ddl',`
-		allow $2 user_sepgsql_table_t:db_table { create drop setattr };
-		allow $2 user_sepgsql_table_t:db_column { create drop setattr };
-
-		allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete };
-		allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr };
-	')
-
 	allow $2 user_sepgsql_table_t:db_table	{ getattr use select update insert delete lock };
 	allow $2 user_sepgsql_table_t:db_column { getattr use select update insert };
 	allow $2 user_sepgsql_table_t:db_tuple	{ use select update insert delete };
@@ -69,6 +61,14 @@ interface(`postgresql_role',`
 
 	allow $2 sepgsql_trusted_proc_t:process transition;
 	type_transition $2 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
+
+	tunable_policy(`sepgsql_enable_users_ddl',`
+		allow $2 user_sepgsql_table_t:db_table { create drop setattr };
+		allow $2 user_sepgsql_table_t:db_column { create drop setattr };
+
+		allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete };
+		allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr };
+	')
 ')
 
 ########################################
@@ -358,13 +358,6 @@ interface(`postgresql_unpriv_client',`
 	type_transition $1 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
 	allow $1 sepgsql_trusted_proc_t:process transition;
 
-	tunable_policy(`sepgsql_enable_users_ddl',`
-		allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr };
-		allow $1 unpriv_sepgsql_table_t:db_column { create drop setattr };
-		allow $1 unpriv_sepgsql_sysobj_t:db_tuple { update insert delete };
-		allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop setattr };
-	')
-
 	allow $1 unpriv_sepgsql_table_t:db_table { getattr use select update insert delete lock };
 	allow $1 unpriv_sepgsql_table_t:db_column { getattr use select update insert };
 	allow $1 unpriv_sepgsql_table_t:db_tuple { use select update insert delete };
@@ -378,6 +371,13 @@ interface(`postgresql_unpriv_client',`
 
 	allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export };
 	type_transition $1 sepgsql_database_type:db_blob unpriv_sepgsql_blob_t;
+
+	tunable_policy(`sepgsql_enable_users_ddl',`
+		allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr };
+		allow $1 unpriv_sepgsql_table_t:db_column { create drop setattr };
+		allow $1 unpriv_sepgsql_sysobj_t:db_tuple { update insert delete };
+		allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop setattr };
+	')
 ')
 
 ########################################
