[selinux-policy: 2813/3172] Dbadm updates from KaiGai Kohei.

[Daniel J Walsh]

commit c62f1bef77c839295b49bdddc7bfd13df780bf4e
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Thu Aug 19 08:41:39 2010 -0400

    Dbadm updates from KaiGai Kohei.

 Changelog                      |    1 +
 policy/modules/kernel/files.if |   19 +++++++++++++++++
 policy/modules/roles/dbadm.if  |    2 +-
 policy/modules/roles/dbadm.te  |   44 ++++++++++++++++++++++++++++++++-------
 policy/modules/roles/staff.te  |    4 +++
 5 files changed, 61 insertions(+), 9 deletions(-)
---
diff --git a/Changelog b/Changelog
index e0fcc58..cbb71cf 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Dbadm updates from KaiGai Kohei.
 - Virtio disk file context update from Mika Pfluger.
 - Increase bindreservport range to 512-1024 in corenetwork, from Dan Walsh.
 - Add JIT usage for freshclam.
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 8d3dfad..5302dac 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -5129,6 +5129,25 @@ interface(`files_getattr_generic_locks',`
 
 ########################################
 ## <summary>
+##	Delete generic lock files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_delete_generic_locks',`
+	gen_require(`
+		type var_t, var_lock_t;
+	')
+
+	allow $1 var_t:dir search_dir_perms;
+	delete_files_pattern($1, var_lock_t, var_lock_t)
+')
+
+########################################
+## <summary>
 ##	Create, read, write, and delete generic
 ##	lock files.
 ## </summary>
diff --git a/policy/modules/roles/dbadm.if b/policy/modules/roles/dbadm.if
index 92d23c5..56f2af7 100644
--- a/policy/modules/roles/dbadm.if
+++ b/policy/modules/roles/dbadm.if
@@ -25,7 +25,7 @@ interface(`dbadm_role_change',`
 ## </summary>
 ## <desc>
 ##	<p>
-##	Change from the web administrator role to
+##	Change from the database administrator role to
 ##	the specified role.
 ##	</p>
 ##	<p>
diff --git a/policy/modules/roles/dbadm.te b/policy/modules/roles/dbadm.te
index 2ddeb70..1875064 100644
--- a/policy/modules/roles/dbadm.te
+++ b/policy/modules/roles/dbadm.te
@@ -5,28 +5,56 @@ policy_module(dbadm, 1.0.0)
 # Declarations
 #
 
+## <desc>
+## <p>
+## Allow dbadm to manage files in users home directories
+## </p>
+## </desc>
+gen_tunable(dbadm_manage_user_files, false)
+
+## <desc>
+## <p>
+## Allow dbadm to read files in users home directories
+## </p>
+## </desc>
+gen_tunable(dbadm_read_user_files, false)
+
 role dbadm_r;
 
-userdom_unpriv_user_template(dbadm)
+userdom_base_user_template(dbadm)
 
 ########################################
 #
 # database admin local policy
 #
 
-optional_policy(`
-	mysql_admin(dbadm_t, dbadm_r)
+allow dbadm_t self:capability { dac_override dac_read_search sys_ptrace };
+
+files_dontaudit_search_all_dirs(dbadm_t)
+files_delete_generic_locks(dbadm_t)
+files_list_var(dbadm_t)
+
+selinux_get_enforce_mode(dbadm_t)
+
+logging_send_syslog_msg(dbadm_t)
+
+userdom_dontaudit_search_user_home_dirs(dbadm_t)
+
+tunable_policy(`dbadm_manage_user_files',`
+	userdom_manage_user_home_content_files(dbadm_t)
+	userdom_read_user_tmp_files(dbadm_t)
+	userdom_write_user_tmp_files(dbadm_t)
 ')
 
-optional_policy(`
-	postgresql_admin(dbadm_t, dbadm_r)
+tunable_policy(`dbadm_read_user_files',`
+	userdom_read_user_home_content_files(dbadm_t)
+	userdom_read_user_tmp_files(dbadm_t)
 ')
 
-# For starting up daemon processes
 optional_policy(`
-	su_role_template(dbadm, dbadm_r, dbadm_t)
+	mysql_admin(dbadm_t, dbadm_r)
 ')
 
 optional_policy(`
-	sudo_role_template(dbadm, dbadm_r, dbadm_t)
+	postgresql_admin(dbadm_t, dbadm_r)
 ')
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index a589c55..0c9876c 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -23,6 +23,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	dbadm_role_change(staff_r)
+')
+
+optional_policy(`
 	postgresql_role(staff_r, staff_t)
 ')