[selinux-policy: 2813/3172] Dbadm updates from KaiGai Kohei.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 23:10:23 UTC 2010
commit c62f1bef77c839295b49bdddc7bfd13df780bf4e
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Thu Aug 19 08:41:39 2010 -0400
Dbadm updates from KaiGai Kohei.
Changelog | 1 +
policy/modules/kernel/files.if | 19 +++++++++++++++++
policy/modules/roles/dbadm.if | 2 +-
policy/modules/roles/dbadm.te | 44 ++++++++++++++++++++++++++++++++-------
policy/modules/roles/staff.te | 4 +++
5 files changed, 61 insertions(+), 9 deletions(-)
---
diff --git a/Changelog b/Changelog
index e0fcc58..cbb71cf 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Dbadm updates from KaiGai Kohei.
- Virtio disk file context update from Mika Pfluger.
- Increase bindreservport range to 512-1024 in corenetwork, from Dan Walsh.
- Add JIT usage for freshclam.
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 8d3dfad..5302dac 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -5129,6 +5129,25 @@ interface(`files_getattr_generic_locks',`
########################################
## <summary>
+## Delete generic lock files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_delete_generic_locks',`
+ gen_require(`
+ type var_t, var_lock_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ delete_files_pattern($1, var_lock_t, var_lock_t)
+')
+
+########################################
+## <summary>
## Create, read, write, and delete generic
## lock files.
## </summary>
diff --git a/policy/modules/roles/dbadm.if b/policy/modules/roles/dbadm.if
index 92d23c5..56f2af7 100644
--- a/policy/modules/roles/dbadm.if
+++ b/policy/modules/roles/dbadm.if
@@ -25,7 +25,7 @@ interface(`dbadm_role_change',`
## </summary>
## <desc>
## <p>
-## Change from the web administrator role to
+## Change from the database administrator role to
## the specified role.
## </p>
## <p>
diff --git a/policy/modules/roles/dbadm.te b/policy/modules/roles/dbadm.te
index 2ddeb70..1875064 100644
--- a/policy/modules/roles/dbadm.te
+++ b/policy/modules/roles/dbadm.te
@@ -5,28 +5,56 @@ policy_module(dbadm, 1.0.0)
# Declarations
#
+## <desc>
+## <p>
+## Allow dbadm to manage files in users home directories
+## </p>
+## </desc>
+gen_tunable(dbadm_manage_user_files, false)
+
+## <desc>
+## <p>
+## Allow dbadm to read files in users home directories
+## </p>
+## </desc>
+gen_tunable(dbadm_read_user_files, false)
+
role dbadm_r;
-userdom_unpriv_user_template(dbadm)
+userdom_base_user_template(dbadm)
########################################
#
# database admin local policy
#
-optional_policy(`
- mysql_admin(dbadm_t, dbadm_r)
+allow dbadm_t self:capability { dac_override dac_read_search sys_ptrace };
+
+files_dontaudit_search_all_dirs(dbadm_t)
+files_delete_generic_locks(dbadm_t)
+files_list_var(dbadm_t)
+
+selinux_get_enforce_mode(dbadm_t)
+
+logging_send_syslog_msg(dbadm_t)
+
+userdom_dontaudit_search_user_home_dirs(dbadm_t)
+
+tunable_policy(`dbadm_manage_user_files',`
+ userdom_manage_user_home_content_files(dbadm_t)
+ userdom_read_user_tmp_files(dbadm_t)
+ userdom_write_user_tmp_files(dbadm_t)
')
-optional_policy(`
- postgresql_admin(dbadm_t, dbadm_r)
+tunable_policy(`dbadm_read_user_files',`
+ userdom_read_user_home_content_files(dbadm_t)
+ userdom_read_user_tmp_files(dbadm_t)
')
-# For starting up daemon processes
optional_policy(`
- su_role_template(dbadm, dbadm_r, dbadm_t)
+ mysql_admin(dbadm_t, dbadm_r)
')
optional_policy(`
- sudo_role_template(dbadm, dbadm_r, dbadm_t)
+ postgresql_admin(dbadm_t, dbadm_r)
')
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index a589c55..0c9876c 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -23,6 +23,10 @@ optional_policy(`
')
optional_policy(`
+ dbadm_role_change(staff_r)
+')
+
+optional_policy(`
postgresql_role(staff_r, staff_t)
')
More information about the scm-commits
mailing list