[refpolicy] [Patch] database administrator domain

All of lore.kernel.org
 help / color / mirror / Atom feed

From: kaigai@ak.jp.nec.com (KaiGai Kohei)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [Patch] database administrator domain
Date: Fri, 04 Dec 2009 17:32:30 +0900	[thread overview]
Message-ID: <4B18C91E.1090907@ak.jp.nec.com> (raw)

The attached patch add a new role for database administrator (dbadm).
Most of postgresql_admin() definitions were copied from Dan's patch,
so either of them may conflict, but it is not difficult to integrate.

- It allows dbadm to start/stop PostgreSQL server process, and to manage
  corresponding files.

- It allows dbadm to start/stop MySQL server process, and to manage
  corresponding files.
  (*) Note that I've not tested MySQL related permissions yet.

- It allows to execute su and sudo to run init script.

- It allows to execute DDL statements in SE-PostgreSQL, but permissions
  to execute DML statement are depending on the sepgsql_unconfined_dbadm
  boolean.
  It allows to control whether user data are visible for DBA, or not.
  (Oracle's security option has similar idea. All the DBA can do is
   defining the schema, not available to access user data.)

- postgresql_role() is moved to unprivuser.te, staff.te and webadm.te
  from the userdom_unpriv_user_template(), because different rules should
  be applied on dbadm role.

----
BTW, I have a plan to define an individual domain for backup and restore
utilities to separate permissions to access user data from dbadm role
in the future.
In this situation, dbadm can execute backup/restore utilities which can
access user data with domain transition, but dbadm cannot access user
data directly in database and newly generated backup file. It ensures
DBA to dump whole of the database with keeping confidence of the contents.

See the page.28 in:
  http://sepgsql.googlecode.com/files/JLS2009-KaiGai-LAPP_SELinux.pdf

Thanks,
-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: refpolicy-dbadm.patch
Type: text/x-patch
Size: 10282 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20091204/47c7a17e/attachment.bin

next             reply	other threads:[~2009-12-04  8:32 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-12-04  8:32 KaiGai Kohei [this message]
2010-02-09 13:48 ` [refpolicy] [Patch] database administrator domain Christopher J. PeBenito

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4B18C91E.1090907@ak.jp.nec.com \
    --to=kaigai@ak.jp.nec.com \
    --cc=refpolicy@oss.tresys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.