From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Tue, 13 Apr 2010 11:57:18 -0400 Subject: [refpolicy] [PATCH] revise roles/dbadm.te (Re: dbadm.pp is not available in selinux-policy package) In-Reply-To: <4BC48A80.3000808@redhat.com> References: <4BBD28D0.8080204@ak.jp.nec.com> <20100408082729.GE25042@localhost.localdomain> <4BBDC8E5.1050307@redhat.com> <4BBEBB52.9090907@ak.jp.nec.com> <1271081355.2815.191.camel@gorn.columbia.tresys.com> <4BC3BAA5.4050502@ak.jp.nec.com> <1271164663.2815.214.camel@gorn.columbia.tresys.com> <4BC48A80.3000808@redhat.com> Message-ID: <1271174238.2815.222.camel@gorn.columbia.tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, 2010-04-13 at 11:15 -0400, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 04/13/2010 09:17 AM, Christopher J. PeBenito wrote: > > On Tue, 2010-04-13 at 09:28 +0900, KaiGai Kohei wrote: > >> (2010/04/12 23:09), Christopher J. PeBenito wrote: > >>> On Fri, 2010-04-09 at 14:29 +0900, KaiGai Kohei wrote: > >>>> (2010/04/08 21:15), Daniel J Walsh wrote: > >>>>> As Dominick stated. I prefer to think in terms of two different roles. > >>>>> Login Roles, and Roles to execute in when you have privileges (IE Root). > >>>>> > >>>>> Login Roles/Types > >>>>> staff_t, user_t, unconfined_t, xguest_t, guest_t > >>>>> > >>>>> Three interfaces can be used to create confined login users. > >>>>> > >>>>> userdom_restricted_user_template(guest) > >>>>> userdom_restricted_xwindows_user_template(xguest) > >>>>> userdom_unpriv_user_template(staff) > >>>>> > >>>>> > >>>>> Admin Roles/Types > >>>>> logadm_t, webadm_t, secadm_t, auditadm_t > >>>>> > >>>>> The following interface can be used to create an Admin ROle > >>>>> userdom_base_user_template(logadm) > >>>>> > >>>>> > >>>>> sysadm_t is sort of a hybrid, most people use it as an Admin Role. > >>>>> > >>>>> > >>>>> I imagine that you login as a confined user and then use sudo/newrole to > >>>>> switch roles to one of the admin roles. > >>>> > >>>> The attached patch revises roles/dbadm.te (to be applied on the upstream > >>>> reference policy). It uses userdom_base_user_template() instead of the > >>>> userdom_unpriv_user_template(), and should be launched via sudo/newrole. > >>>> In the default, it intends the dbadm_r role to be launched by staff_r role. > >>> > >>> Why does dbadm need to run setfiles? > >> > >> The database files (typically, /var/lib/(se)?pgsql/*) have to be labeled > >> correctly, so I thought dbadm needs to run setfiles. > >> However, as long as they initialize database files using init script, > >> initrc_t domain performs this initial labeling, so it might not be necessary. > >> > >> On the other hand, PostgreSQL support a feature to use multiple disks > >> within a single database instance for performance utilization. > >> (Called TABLESPACE; I don't know whether MySQL has such a feature.) > >> > >> http://archives.postgresql.org/pgsql-general/2006-08/msg00142.php > >> > >> It requires administrators to assign proper security context on the secondary > >> directory, or to mount the secondary disk with context='...' option. > >> > >> Is there any good idea? > >> > >> Or, it should not be a task for dbadm? > > > > Ok, the transition for setfiles is fine. > > > > I would be carefull with this. Since setfiles can take a parameter of a > file context file. I think it would be better to only give > relabefrom/relabelto privs for all labels dbadm_t can manage. Then > figure out what access is required to mount. Good point. We should probably reconsider the setfiles usage from webadm too. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150