blob: 52cecc4c2bbf6d654738a45a547bd6d5f6095523 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
postgresql_packages:
- postgresql-server
- python3-psycopg2
postgresql_user: postgres
postgresql_data_dir: /var/lib/pgsql/data
postgresql_keytab: /var/lib/gssproxy/postgresql.keytab
postgresql_certificate_path: /etc/pki/tls/certs/postgres.pem
postgresql_certificate_key_path: /etc/pki/tls/private/postgres.key
postgresql_dhparams_path: /etc/pki/tls/certs/postgres-dhparams.pem
postgresql_ssl_ciphers: 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'
postgresql_hbac_hostgroup: postgresql_servers
postgresql_hbac_service: postgresql
postgresql_archive_shell: >-
pg_dumpall | gzip > "pg_dumpall-$(date +%Y%m%d%H%M%S).sql.gz"
postgresql_selinux_policy_te: |
require {
type postgresql_t;
type postgresql_exec_t;
type gssproxy_t;
type gssproxy_var_lib_t;
class dir search;
class sock_file write;
class unix_stream_socket connectto;
class file getattr;
}
#============= postgresql_t ==============
allow postgresql_t gssproxy_var_lib_t:dir search;
allow postgresql_t gssproxy_var_lib_t:sock_file write;
allow postgresql_t gssproxy_t:unix_stream_socket connectto;
allow postgresql_t gssproxy_var_lib_t:dir search;
#============= gssproxy_t ==============
allow gssproxy_t postgresql_exec_t:file getattr;
|
