From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Mon, 12 Apr 2010 10:09:15 -0400 Subject: [refpolicy] [PATCH] revise roles/dbadm.te (Re: dbadm.pp is not available in selinux-policy package) In-Reply-To: <4BBEBB52.9090907@ak.jp.nec.com> References: <4BBD28D0.8080204@ak.jp.nec.com> <20100408082729.GE25042@localhost.localdomain> <4BBDC8E5.1050307@redhat.com> <4BBEBB52.9090907@ak.jp.nec.com> Message-ID: <1271081355.2815.191.camel@gorn.columbia.tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Fri, 2010-04-09 at 14:29 +0900, KaiGai Kohei wrote: > (2010/04/08 21:15), Daniel J Walsh wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > As Dominick stated. I prefer to think in terms of two different roles. > > Login Roles, and Roles to execute in when you have privileges (IE Root). > > > > Login Roles/Types > > staff_t, user_t, unconfined_t, xguest_t, guest_t > > > > Three interfaces can be used to create confined login users. > > > > userdom_restricted_user_template(guest) > > userdom_restricted_xwindows_user_template(xguest) > > userdom_unpriv_user_template(staff) > > > > > > Admin Roles/Types > > logadm_t, webadm_t, secadm_t, auditadm_t > > > > The following interface can be used to create an Admin ROle > > userdom_base_user_template(logadm) > > > > > > sysadm_t is sort of a hybrid, most people use it as an Admin Role. > > > > > > I imagine that you login as a confined user and then use sudo/newrole to > > switch roles to one of the admin roles. > > The attached patch revises roles/dbadm.te (to be applied on the upstream > reference policy). It uses userdom_base_user_template() instead of the > userdom_unpriv_user_template(), and should be launched via sudo/newrole. > In the default, it intends the dbadm_r role to be launched by staff_r role. Why does dbadm need to run setfiles? Use of staff_role_change_to() is not allowed upstream. If staff should be allowed to change to dbadm, the dbadm_role_change() should be used in the staff module. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150