All of lore.kernel.org
 help / color / mirror / Atom feed
From: kaigai@ak.jp.nec.com (KaiGai Kohei)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [BUGFIX] lack of type transition on dbadm domain (Re: dbadm.pp is not available in selinux-policy package)
Date: Fri, 09 Apr 2010 14:40:22 +0900	[thread overview]
Message-ID: <4BBEBDC6.8070507@ak.jp.nec.com> (raw)
In-Reply-To: <4BBDC8E5.1050307@redhat.com>

A corresponding problem.

I found out a bug when we initialize the database with dbadm_r:dbadm_t
which belongs to sepgsql_admin_type attribute.

In the case when sepgsql_admin_type create a new database objects,
it does not have valid type_transition rules. So, it was failed.
Sorry, I didn't find out it for a long time.

And db_procedure:{execute} on the sepgsql_proc_exec_t might be necessary
for the administrative domain independently from sepgsql_unconfined_dbadm,
because we need to execute some of system defined procedures to look up
system tables.

Thanks,

(2010/04/08 21:15), Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> As Dominick stated.  I prefer to think in terms of two different roles.
>   Login Roles, and Roles to execute in when you have privileges (IE Root).
> 
> Login Roles/Types
> staff_t, user_t, unconfined_t, xguest_t, guest_t
> 
> Three interfaces can be used to create confined login users.
> 
> userdom_restricted_user_template(guest)
> userdom_restricted_xwindows_user_template(xguest)
> userdom_unpriv_user_template(staff)
> 
> 
> Admin Roles/Types
> logadm_t, webadm_t, secadm_t, auditadm_t
> 
> The following interface can be used to create an Admin ROle
> userdom_base_user_template(logadm)
> 
> 
> sysadm_t is sort of a hybrid, most people use it as an Admin Role.
> 
> 
> I imagine that you login as a confined user and then use sudo/newrole to
> switch roles to one of the admin roles.
> 
> Of course you are free to design your own system creating fully login
> admin roles. Or creating addinitional non admin user roles.
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.14 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAku9yOUACgkQrlYvE4MpobNZBQCgh5RdBRm1ZPjtHNqI5Jf3UHRs
> Bw0An3cao7Jw/TJUiS6LqB5C6C5ajyhd
> =q1nL
> -----END PGP SIGNATURE-----
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 


-- 
KaiGai Kohei <kaigai@ak.jp.nec.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: refpolicy-pgsql-fixes.1.patch
Type: text/x-patch
Size: 1379 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100409/6369d3e6/attachment.bin 

  parent reply	other threads:[~2010-04-09  5:40 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <4BBD28D0.8080204@ak.jp.nec.com>
     [not found] ` <20100408082729.GE25042@localhost.localdomain>
     [not found]   ` <4BBDC8E5.1050307@redhat.com>
2010-04-09  5:29     ` [refpolicy] [PATCH] revise roles/dbadm.te (Re: dbadm.pp is not available in selinux-policy package) KaiGai Kohei
2010-04-12 14:09       ` Christopher J. PeBenito
2010-04-13  0:28         ` KaiGai Kohei
2010-04-13 13:17           ` Christopher J. PeBenito
2010-04-13 15:15             ` Daniel J Walsh
2010-04-13 15:57               ` Christopher J. PeBenito
2010-04-15  6:02                 ` KaiGai Kohei
2010-04-15 12:54                   ` Daniel J Walsh
2010-04-15 14:36                     ` KaiGai Kohei
2010-08-16  9:11                   ` KaiGai Kohei
2010-08-16 19:42                     ` Christopher J. PeBenito
2010-08-16 23:37                       ` KaiGai Kohei
2010-08-17 18:00                         ` Chris PeBenito
2010-08-18  8:19                           ` KaiGai Kohei
2010-08-19 12:47                             ` Christopher J. PeBenito
2010-04-09  5:40     ` KaiGai Kohei [this message]
2010-04-12 14:16       ` [refpolicy] [BUGFIX] lack of type transition on dbadm domain " Christopher J. PeBenito

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4BBEBDC6.8070507@ak.jp.nec.com \
    --to=kaigai@ak.jp.nec.com \
    --cc=refpolicy@oss.tresys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.