From: kaigai@ak.jp.nec.com (KaiGai Kohei) Date: Fri, 09 Apr 2010 14:40:22 +0900 Subject: [refpolicy] [BUGFIX] lack of type transition on dbadm domain (Re: dbadm.pp is not available in selinux-policy package) In-Reply-To: <4BBDC8E5.1050307@redhat.com> References: <4BBD28D0.8080204@ak.jp.nec.com> <20100408082729.GE25042@localhost.localdomain> <4BBDC8E5.1050307@redhat.com> Message-ID: <4BBEBDC6.8070507@ak.jp.nec.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com A corresponding problem. I found out a bug when we initialize the database with dbadm_r:dbadm_t which belongs to sepgsql_admin_type attribute. In the case when sepgsql_admin_type create a new database objects, it does not have valid type_transition rules. So, it was failed. Sorry, I didn't find out it for a long time. And db_procedure:{execute} on the sepgsql_proc_exec_t might be necessary for the administrative domain independently from sepgsql_unconfined_dbadm, because we need to execute some of system defined procedures to look up system tables. Thanks, (2010/04/08 21:15), Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > As Dominick stated. I prefer to think in terms of two different roles. > Login Roles, and Roles to execute in when you have privileges (IE Root). > > Login Roles/Types > staff_t, user_t, unconfined_t, xguest_t, guest_t > > Three interfaces can be used to create confined login users. > > userdom_restricted_user_template(guest) > userdom_restricted_xwindows_user_template(xguest) > userdom_unpriv_user_template(staff) > > > Admin Roles/Types > logadm_t, webadm_t, secadm_t, auditadm_t > > The following interface can be used to create an Admin ROle > userdom_base_user_template(logadm) > > > sysadm_t is sort of a hybrid, most people use it as an Admin Role. > > > I imagine that you login as a confined user and then use sudo/newrole to > switch roles to one of the admin roles. > > Of course you are free to design your own system creating fully login > admin roles. Or creating addinitional non admin user roles. > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.14 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAku9yOUACgkQrlYvE4MpobNZBQCgh5RdBRm1ZPjtHNqI5Jf3UHRs > Bw0An3cao7Jw/TJUiS6LqB5C6C5ajyhd > =q1nL > -----END PGP SIGNATURE----- > -- > selinux mailing list > selinux at lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/selinux > -- KaiGai Kohei -------------- next part -------------- A non-text attachment was scrubbed... Name: refpolicy-pgsql-fixes.1.patch Type: text/x-patch Size: 1379 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100409/6369d3e6/attachment.bin