From: kaigai@ak.jp.nec.com (KaiGai Kohei) Date: Fri, 27 Aug 2010 16:31:44 +0900 Subject: [refpolicy] roles_dbadm.patch In-Reply-To: <4C76EB3E.80903@redhat.com> References: <4C76EB3E.80903@redhat.com> Message-ID: <4C7769E0.1050605@ak.jp.nec.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com (2010/08/27 7:31), Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > http://people.fedoraproject.org/~dwalsh/SELinux/F14/roles_dbadm.patch > > Add sudo for transition from staff. > > I think this should not be a login domain. | --- a/policy/modules/roles/dbadm.te | +++ b/policy/modules/roles/dbadm.te | @@ -21,7 +21,7 @@ gen_tunable(dbadm_read_user_files, false) | | role dbadm_r; | | -userdom_base_user_template(dbadm) | +userdom_unpriv_user_template(dbadm) | | ######################################## | # The userdom_unpriv_user_template() contains userdom_login_user_template() which allows dbadm_t performs as a login domain. It is not what you intend, is it? In the latest refpolicy, dbadm is declared with userdom_base_user_template(). | @@ -58,3 +58,7 @@ optional_policy(` | optional_policy(` | postgresql_admin(dbadm_t, dbadm_r) | ') | + | +optional_policy(` | + sudo_role_template(dbadm, dbadm_r, dbadm_t) | +') | diff --git a/policy/modules/roles/guest.te b/policy/modules/roles/guest.te | index 531c616..321e5a7 100644 Also, it was already merged in the latest refpolicy. BTW, could you add the dbadm.pp into selinux-policy package? IIRC, you concerned about dbadm_t is declared as login domain. Thanks, -- KaiGai Kohei