policy_module(sepgsql-regtest, 1.01)

## <desc>
## <p>
## Allow to launch regression test of SE-PostgreSQL
## Don't switch to TRUE in normal cases
## </p>
## </desc>
gen_tunable(sepgsql_regression_test_mode, false)

#
# Test domains for database administrators
#
role sepgsql_regtest_dba_r;
userdom_base_user_template(sepgsql_regtest_dba)
userdom_manage_home_role(sepgsql_regtest_dba_r, sepgsql_regtest_dba_t)
userdom_write_user_tmp_sockets(sepgsql_regtest_user_t)
optional_policy(`
	postgresql_admin(sepgsql_regtest_dba_t, sepgsql_regtest_dba_r)
	postgresql_stream_connect(sepgsql_regtest_dba_t)
')
optional_policy(`
	unconfined_stream_connect(sepgsql_regtest_dba_t)
	unconfined_rw_pipes(sepgsql_regtest_dba_t)
')

#
# Dummy domain for unpriv users
#
role sepgsql_regtest_user_r;
userdom_base_user_template(sepgsql_regtest_user)
userdom_manage_home_role(sepgsql_regtest_user_r, sepgsql_regtest_user_t)
userdom_write_user_tmp_sockets(sepgsql_regtest_user_t)
optional_policy(`
	postgresql_role(sepgsql_regtest_user_r, sepgsql_regtest_user_t)
	postgresql_stream_connect(sepgsql_regtest_user_t)
')
optional_policy(`
	unconfined_stream_connect(sepgsql_regtest_user_t)
	unconfined_rw_pipes(sepgsql_regtest_user_t)
')

#
# Rules to launch psql in the dummy domains
#
optional_policy(`
	gen_require(`
		role unconfined_r;
		type unconfined_t;
		type sepgsql_trusted_proc_t;
	')
	tunable_policy(`sepgsql_regression_test_mode',`
		allow unconfined_t sepgsql_regtest_dba_t : process { transition };
		allow unconfined_t sepgsql_regtest_user_t : process { transition };
	')
	role unconfined_r types sepgsql_regtest_dba_t;
	role unconfined_r types sepgsql_regtest_user_t;
	role unconfined_r types sepgsql_trusted_proc_t;
')