PostgreSQL PITR & SELinux

Hi everybody, I have seen this topic pop up on this ML previously but without much traction. However I'll try it again ;) I'm building PostgreSQL setup with PGPool-II replication and PITR. After some tinkering I've arrived at a module with contents: ===pgsql-pitr.te=== module pgsql-pitr 1.7; require { type ssh_home_t; type ssh_port_t; type ssh_exec_t; type rsync_exec_t; type postgresql_t; class tcp_socket name_connect; class file { getattr execute read open execute_no_trans }; class dir { search getattr }; } allow postgresql_t rsync_exec_t:file { read open execute_no_trans getattr execute }; allow postgresql_t ssh_exec_t:file { read open execute execute_no_trans }; allow postgresql_t ssh_home_t:dir { search getattr }; allow postgresql_t ssh_home_t:file { read open getattr }; allow postgresql_t ssh_port_t:tcp_socket name_connect; ===end of pgsql-pitr.te=== All of the above to allow me to launch rsync as an "archive_command" from postgres an copy WAL files from primary over to secondary, generated from auditd messages thus very specific. I could probably drop the rsync part and go with scp alone but that won't change what I'm about to ask. What I really wander about is - above I've opened up quite a few things that are very specific to this mode of operation, however I can't believe I'm in a situation nobody else have been before and there are no booleans/tunables for most of things outlined above. So is there a way to make above utilize existing hooks or is it "as good as it gets"? -- Dmitry Makovey Web Systems Administrator Athabasca University (780) 675-6245 --- Confidence is what you have before you understand the problem Woody Allen When in trouble when in doubt run in circles scream and shout http://www.wordwizard.com/phpbb3/viewtopic.php?f=16&t=19330 -- This communication is intended for the use of the recipient to whom it is addressed, and may contain confidential, personal, and or privileged information. Please contact us immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on it. Any communications received in error, or subsequent reply, should be deleted or destroyed. ---