[refpolicy] [PATCH] revise roles/dbadm.te (Re: dbadm.pp is not available in selinux-policy package)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: kaigai@ak.jp.nec.com (KaiGai Kohei)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH] revise roles/dbadm.te (Re: dbadm.pp is not available in selinux-policy package)
Date: Tue, 13 Apr 2010 09:28:21 +0900	[thread overview]
Message-ID: <4BC3BAA5.4050502@ak.jp.nec.com> (raw)
In-Reply-To: <1271081355.2815.191.camel@gorn.columbia.tresys.com>

(2010/04/12 23:09), Christopher J. PeBenito wrote:
> On Fri, 2010-04-09 at 14:29 +0900, KaiGai Kohei wrote:
>> (2010/04/08 21:15), Daniel J Walsh wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> As Dominick stated.  I prefer to think in terms of two different roles.
>>>    Login Roles, and Roles to execute in when you have privileges (IE Root).
>>>
>>> Login Roles/Types
>>> staff_t, user_t, unconfined_t, xguest_t, guest_t
>>>
>>> Three interfaces can be used to create confined login users.
>>>
>>> userdom_restricted_user_template(guest)
>>> userdom_restricted_xwindows_user_template(xguest)
>>> userdom_unpriv_user_template(staff)
>>>
>>>
>>> Admin Roles/Types
>>> logadm_t, webadm_t, secadm_t, auditadm_t
>>>
>>> The following interface can be used to create an Admin ROle
>>> userdom_base_user_template(logadm)
>>>
>>>
>>> sysadm_t is sort of a hybrid, most people use it as an Admin Role.
>>>
>>>
>>> I imagine that you login as a confined user and then use sudo/newrole to
>>> switch roles to one of the admin roles.
>>
>> The attached patch revises roles/dbadm.te (to be applied on the upstream
>> reference policy). It uses userdom_base_user_template() instead of the
>> userdom_unpriv_user_template(), and should be launched via sudo/newrole.
>> In the default, it intends the dbadm_r role to be launched by staff_r role.
> 
> Why does dbadm need to run setfiles?

The database files (typically, /var/lib/(se)?pgsql/*) have to be labeled
correctly, so I thought dbadm needs to run setfiles.
However, as long as they initialize database files using init script,
initrc_t domain performs this initial labeling, so it might not be necessary.

On the other hand, PostgreSQL support a feature to use multiple disks
within a single database instance for performance utilization.
(Called TABLESPACE; I don't know whether MySQL has such a feature.)

http://archives.postgresql.org/pgsql-general/2006-08/msg00142.php

It requires administrators to assign proper security context on the secondary
directory, or to mount the secondary disk with context='...' option.

Is there any good idea?

Or, it should not be a task for dbadm?

> Use of staff_role_change_to() is not allowed upstream.  If staff should
> be allowed to change to dbadm, the dbadm_role_change() should be used in
> the staff module.

OK, I'll fix it.

Thanks,
-- 
KaiGai Kohei <kaigai@ak.jp.nec.com>

next prev parent reply	other threads:[~2010-04-13  0:28 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <4BBD28D0.8080204@ak.jp.nec.com>
     [not found] ` <20100408082729.GE25042@localhost.localdomain>
     [not found]   ` <4BBDC8E5.1050307@redhat.com>
2010-04-09  5:29     ` [refpolicy] [PATCH] revise roles/dbadm.te (Re: dbadm.pp is not available in selinux-policy package) KaiGai Kohei
2010-04-12 14:09       ` Christopher J. PeBenito
2010-04-13  0:28         ` KaiGai Kohei [this message]
2010-04-13 13:17           ` Christopher J. PeBenito
2010-04-13 15:15             ` Daniel J Walsh
2010-04-13 15:57               ` Christopher J. PeBenito
2010-04-15  6:02                 ` KaiGai Kohei
2010-04-15 12:54                   ` Daniel J Walsh
2010-04-15 14:36                     ` KaiGai Kohei
2010-08-16  9:11                   ` KaiGai Kohei
2010-08-16 19:42                     ` Christopher J. PeBenito
2010-08-16 23:37                       ` KaiGai Kohei
2010-08-17 18:00                         ` Chris PeBenito
2010-08-18  8:19                           ` KaiGai Kohei
2010-08-19 12:47                             ` Christopher J. PeBenito
2010-04-09  5:40     ` [refpolicy] [BUGFIX] lack of type transition on dbadm domain " KaiGai Kohei
2010-04-12 14:16       ` Christopher J. PeBenito

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4BC3BAA5.4050502@ak.jp.nec.com \
    --to=kaigai@ak.jp.nec.com \
    --cc=refpolicy@oss.tresys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.