From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 12 Apr 2010 10:16:09 -0400
Subject: [refpolicy] [BUGFIX] lack of type transition on dbadm domain
 (Re: dbadm.pp is not available in selinux-policy package)
In-Reply-To: <4BBEBDC6.8070507@ak.jp.nec.com>
References: <4BBD28D0.8080204@ak.jp.nec.com>
	<20100408082729.GE25042@localhost.localdomain>
	<4BBDC8E5.1050307@redhat.com>  <4BBEBDC6.8070507@ak.jp.nec.com>
Message-ID: <1271081769.2815.192.camel@gorn.columbia.tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Fri, 2010-04-09 at 14:40 +0900, KaiGai Kohei wrote:
> A corresponding problem.
> 
> I found out a bug when we initialize the database with dbadm_r:dbadm_t
> which belongs to sepgsql_admin_type attribute.
> 
> In the case when sepgsql_admin_type create a new database objects,
> it does not have valid type_transition rules. So, it was failed.
> Sorry, I didn't find out it for a long time.
> 
> And db_procedure:{execute} on the sepgsql_proc_exec_t might be necessary
> for the administrative domain independently from sepgsql_unconfined_dbadm,
> because we need to execute some of system defined procedures to look up
> system tables.

Merged.  In the future, please do not increment the module version as
part of your patch.

> (2010/04/08 21:15), Daniel J Walsh wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > As Dominick stated.  I prefer to think in terms of two different roles.
> >   Login Roles, and Roles to execute in when you have privileges (IE Root).
> > 
> > Login Roles/Types
> > staff_t, user_t, unconfined_t, xguest_t, guest_t
> > 
> > Three interfaces can be used to create confined login users.
> > 
> > userdom_restricted_user_template(guest)
> > userdom_restricted_xwindows_user_template(xguest)
> > userdom_unpriv_user_template(staff)
> > 
> > 
> > Admin Roles/Types
> > logadm_t, webadm_t, secadm_t, auditadm_t
> > 
> > The following interface can be used to create an Admin ROle
> > userdom_base_user_template(logadm)
> > 
> > 
> > sysadm_t is sort of a hybrid, most people use it as an Admin Role.
> > 
> > 
> > I imagine that you login as a confined user and then use sudo/newrole to
> > switch roles to one of the admin roles.
> > 
> > Of course you are free to design your own system creating fully login
> > admin roles. Or creating addinitional non admin user roles.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150