From: dwalsh@redhat.com (Daniel J Walsh)
Date: Fri, 27 Aug 2010 09:24:33 -0400
Subject: [refpolicy] roles_dbadm.patch
In-Reply-To: <4C7769E0.1050605@ak.jp.nec.com>
References: <4C76EB3E.80903@redhat.com> <4C7769E0.1050605@ak.jp.nec.com>
Message-ID: <4C77BC91.5050501@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/27/2010 03:31 AM, KaiGai Kohei wrote:
> (2010/08/27 7:31), Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> http://people.fedoraproject.org/~dwalsh/SELinux/F14/roles_dbadm.patch
>>
>> Add sudo for transition from staff.
>>
>> I think this should not be a login domain.
> 
> | --- a/policy/modules/roles/dbadm.te
> | +++ b/policy/modules/roles/dbadm.te
> | @@ -21,7 +21,7 @@ gen_tunable(dbadm_read_user_files, false)
> |
> |  role dbadm_r;
> |
> | -userdom_base_user_template(dbadm)
> | +userdom_unpriv_user_template(dbadm)
> |
> |  ########################################
> |  #
> 
> The userdom_unpriv_user_template() contains userdom_login_user_template()
> which allows dbadm_t performs as a login domain.
> It is not what you intend, is it?
> 
No my mistake.  I reversed the patch.  It should be

userdom_base_user_template(dbadm)
> In the latest refpolicy, dbadm is declared with userdom_base_user_template().
> 
> | @@ -58,3 +58,7 @@ optional_policy(`
> |  optional_policy(`
> |  	postgresql_admin(dbadm_t, dbadm_r)
> |  ')
> | +
> | +optional_policy(`
> | +	sudo_role_template(dbadm, dbadm_r, dbadm_t)
> | +')
> | diff --git a/policy/modules/roles/guest.te b/policy/modules/roles/guest.te
> | index 531c616..321e5a7 100644
> 
> Also, it was already merged in the latest refpolicy.
> 
Not in the refpolicy I am looking at.
> BTW, could you add the dbadm.pp into selinux-policy package?
> IIRC, you concerned about dbadm_t is declared as login domain.
> 
> Thanks,

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkx3vJEACgkQrlYvE4MpobNNdACg0A2PnKxkWKw1g8c/+9CRgfDD
DIUAnjhKbG2F60UQ3V23FZrbalzLl0Sl
=knMn
-----END PGP SIGNATURE-----