A corresponding problem.
I found out a bug when we initialize the database with dbadm_r:dbadm_t
which belongs to sepgsql_admin_type attribute.
In the case when sepgsql_admin_type create a new database objects,
it does not have valid type_transition rules. So, it was failed.
Sorry, I didn't find out it for a long time.
And db_procedure:{execute} on the sepgsql_proc_exec_t might be necessary
for the administrative domain independently from sepgsql_unconfined_dbadm,
because we need to execute some of system defined procedures to look up
system tables.
Thanks,
(2010/04/08 21:15), Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> As Dominick stated. I prefer to think in terms of two different roles.
> Login Roles, and Roles to execute in when you have privileges (IE Root).
>
> Login Roles/Types
> staff_t, user_t, unconfined_t, xguest_t, guest_t
>
> Three interfaces can be used to create confined login users.
>
> userdom_restricted_user_template(guest)
> userdom_restricted_xwindows_user_template(xguest)
> userdom_unpriv_user_template(staff)
>
>
> Admin Roles/Types
> logadm_t, webadm_t, secadm_t, auditadm_t
>
> The following interface can be used to create an Admin ROle
> userdom_base_user_template(logadm)
>
>
> sysadm_t is sort of a hybrid, most people use it as an Admin Role.
>
>
> I imagine that you login as a confined user and then use sudo/newrole to
> switch roles to one of the admin roles.
>
> Of course you are free to design your own system creating fully login
> admin roles. Or creating addinitional non admin user roles.
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.14 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAku9yOUACgkQrlYvE4MpobNZBQCgh5RdBRm1ZPjtHNqI5Jf3UHRs
> Bw0An3cao7Jw/TJUiS6LqB5C6C5ajyhd
> =q1nL
> -----END PGP SIGNATURE-----
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
--
KaiGai Kohei <[email protected]>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: refpolicy-pgsql-fixes.1.patch
Type: text/x-patch
Size: 1379 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100409/6369d3e6/attachment.bin
On Fri, 2010-04-09 at 14:40 +0900, KaiGai Kohei wrote:
> A corresponding problem.
>
> I found out a bug when we initialize the database with dbadm_r:dbadm_t
> which belongs to sepgsql_admin_type attribute.
>
> In the case when sepgsql_admin_type create a new database objects,
> it does not have valid type_transition rules. So, it was failed.
> Sorry, I didn't find out it for a long time.
>
> And db_procedure:{execute} on the sepgsql_proc_exec_t might be necessary
> for the administrative domain independently from sepgsql_unconfined_dbadm,
> because we need to execute some of system defined procedures to look up
> system tables.
Merged. In the future, please do not increment the module version as
part of your patch.
> (2010/04/08 21:15), Daniel J Walsh wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > As Dominick stated. I prefer to think in terms of two different roles.
> > Login Roles, and Roles to execute in when you have privileges (IE Root).
> >
> > Login Roles/Types
> > staff_t, user_t, unconfined_t, xguest_t, guest_t
> >
> > Three interfaces can be used to create confined login users.
> >
> > userdom_restricted_user_template(guest)
> > userdom_restricted_xwindows_user_template(xguest)
> > userdom_unpriv_user_template(staff)
> >
> >
> > Admin Roles/Types
> > logadm_t, webadm_t, secadm_t, auditadm_t
> >
> > The following interface can be used to create an Admin ROle
> > userdom_base_user_template(logadm)
> >
> >
> > sysadm_t is sort of a hybrid, most people use it as an Admin Role.
> >
> >
> > I imagine that you login as a confined user and then use sudo/newrole to
> > switch roles to one of the admin roles.
> >
> > Of course you are free to design your own system creating fully login
> > admin roles. Or creating addinitional non admin user roles.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150