From: dwalsh@redhat.com (Daniel J Walsh) Date: Fri, 27 Aug 2010 09:24:33 -0400 Subject: [refpolicy] roles_dbadm.patch In-Reply-To: <4C7769E0.1050605@ak.jp.nec.com> References: <4C76EB3E.80903@redhat.com> <4C7769E0.1050605@ak.jp.nec.com> Message-ID: <4C77BC91.5050501@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/27/2010 03:31 AM, KaiGai Kohei wrote: > (2010/08/27 7:31), Daniel J Walsh wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> http://people.fedoraproject.org/~dwalsh/SELinux/F14/roles_dbadm.patch >> >> Add sudo for transition from staff. >> >> I think this should not be a login domain. > > | --- a/policy/modules/roles/dbadm.te > | +++ b/policy/modules/roles/dbadm.te > | @@ -21,7 +21,7 @@ gen_tunable(dbadm_read_user_files, false) > | > | role dbadm_r; > | > | -userdom_base_user_template(dbadm) > | +userdom_unpriv_user_template(dbadm) > | > | ######################################## > | # > > The userdom_unpriv_user_template() contains userdom_login_user_template() > which allows dbadm_t performs as a login domain. > It is not what you intend, is it? > No my mistake. I reversed the patch. It should be userdom_base_user_template(dbadm) > In the latest refpolicy, dbadm is declared with userdom_base_user_template(). > > | @@ -58,3 +58,7 @@ optional_policy(` > | optional_policy(` > | postgresql_admin(dbadm_t, dbadm_r) > | ') > | + > | +optional_policy(` > | + sudo_role_template(dbadm, dbadm_r, dbadm_t) > | +') > | diff --git a/policy/modules/roles/guest.te b/policy/modules/roles/guest.te > | index 531c616..321e5a7 100644 > > Also, it was already merged in the latest refpolicy. > Not in the refpolicy I am looking at. > BTW, could you add the dbadm.pp into selinux-policy package? > IIRC, you concerned about dbadm_t is declared as login domain. > > Thanks, -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkx3vJEACgkQrlYvE4MpobNNdACg0A2PnKxkWKw1g8c/+9CRgfDD DIUAnjhKbG2F60UQ3V23FZrbalzLl0Sl =knMn -----END PGP SIGNATURE-----