The attached patch add a new role for database administrator (dbadm).
Most of postgresql_admin() definitions were copied from Dan's patch,
so either of them may conflict, but it is not difficult to integrate.
- It allows dbadm to start/stop PostgreSQL server process, and to manage
corresponding files.
- It allows dbadm to start/stop MySQL server process, and to manage
corresponding files.
(*) Note that I've not tested MySQL related permissions yet.
- It allows to execute su and sudo to run init script.
- It allows to execute DDL statements in SE-PostgreSQL, but permissions
to execute DML statement are depending on the sepgsql_unconfined_dbadm
boolean.
It allows to control whether user data are visible for DBA, or not.
(Oracle's security option has similar idea. All the DBA can do is
defining the schema, not available to access user data.)
- postgresql_role() is moved to unprivuser.te, staff.te and webadm.te
from the userdom_unpriv_user_template(), because different rules should
be applied on dbadm role.
----
BTW, I have a plan to define an individual domain for backup and restore
utilities to separate permissions to access user data from dbadm role
in the future.
In this situation, dbadm can execute backup/restore utilities which can
access user data with domain transition, but dbadm cannot access user
data directly in database and newly generated backup file. It ensures
DBA to dump whole of the database with keeping confidence of the contents.
See the page.28 in:
http://sepgsql.googlecode.com/files/JLS2009-KaiGai-LAPP_SELinux.pdf
Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <[email protected]>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: refpolicy-dbadm.patch
Type: text/x-patch
Size: 10282 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20091204/47c7a17e/attachment.bin
On Fri, 2009-12-04 at 17:32 +0900, KaiGai Kohei wrote:
> The attached patch add a new role for database administrator (dbadm).
> Most of postgresql_admin() definitions were copied from Dan's patch,
> so either of them may conflict, but it is not difficult to integrate.
>
> - It allows dbadm to start/stop PostgreSQL server process, and to manage
> corresponding files.
>
> - It allows dbadm to start/stop MySQL server process, and to manage
> corresponding files.
> (*) Note that I've not tested MySQL related permissions yet.
>
> - It allows to execute su and sudo to run init script.
>
> - It allows to execute DDL statements in SE-PostgreSQL, but permissions
> to execute DML statement are depending on the sepgsql_unconfined_dbadm
> boolean.
> It allows to control whether user data are visible for DBA, or not.
> (Oracle's security option has similar idea. All the DBA can do is
> defining the schema, not available to access user data.)
>
> - postgresql_role() is moved to unprivuser.te, staff.te and webadm.te
> from the userdom_unpriv_user_template(), because different rules should
> be applied on dbadm role.
Merged.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150