From: domg472@gmail.com (Dominick Grift)
Date: Fri, 27 Aug 2010 15:27:29 +0200
Subject: [refpolicy] roles_dbadm.patch
In-Reply-To: <4C77BC91.5050501@redhat.com>
References: <4C76EB3E.80903@redhat.com> <4C7769E0.1050605@ak.jp.nec.com>
	<4C77BC91.5050501@redhat.com>
Message-ID: <4C77BD41.70708@gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 08/27/2010 03:24 PM, Daniel J Walsh wrote:
> On 08/27/2010 03:31 AM, KaiGai Kohei wrote:
>> (2010/08/27 7:31), Daniel J Walsh wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> http://people.fedoraproject.org/~dwalsh/SELinux/F14/roles_dbadm.patch
>>>
>>> Add sudo for transition from staff.
>>>
>>> I think this should not be a login domain.
> 
>> | --- a/policy/modules/roles/dbadm.te
>> | +++ b/policy/modules/roles/dbadm.te
>> | @@ -21,7 +21,7 @@ gen_tunable(dbadm_read_user_files, false)
>> |
>> |  role dbadm_r;
>> |
>> | -userdom_base_user_template(dbadm)
>> | +userdom_unpriv_user_template(dbadm)
>> |
>> |  ########################################
>> |  #
> 
>> The userdom_unpriv_user_template() contains userdom_login_user_template()
>> which allows dbadm_t performs as a login domain.
>> It is not what you intend, is it?
> 
> No my mistake.  I reversed the patch.  It should be
> 
> userdom_base_user_template(dbadm)
>> In the latest refpolicy, dbadm is declared with userdom_base_user_template().
> 
>> | @@ -58,3 +58,7 @@ optional_policy(`
>> |  optional_policy(`
>> |  	postgresql_admin(dbadm_t, dbadm_r)
>> |  ')
>> | +
>> | +optional_policy(`
>> | +	sudo_role_template(dbadm, dbadm_r, dbadm_t)
>> | +')
>> | diff --git a/policy/modules/roles/guest.te b/policy/modules/roles/guest.te
>> | index 531c616..321e5a7 100644
> 
>> Also, it was already merged in the latest refpolicy.
> 
> Not in the refpolicy I am looking at.

http://oss.tresys.com/projects/refpolicy/changeset/c62f1bef77c839295b49bdddc7bfd13df780bf4e


>> BTW, could you add the dbadm.pp into selinux-policy package?
>> IIRC, you concerned about dbadm_t is declared as login domain.
> 
>> Thanks,
> 
_______________________________________________
refpolicy mailing list
refpolicy at oss.tresys.com
http://oss.tresys.com/mailman/listinfo/refpolicy


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100827/f6f0a76e/attachment-0001.bin