On Thu, Apr 08, 2010 at 09:52:32AM +0900, KaiGai Kohei wrote:
It seems to me the latest selinux-policy package forgot to build
dbadm package, although its interface file is distributed.
[kaigai@saba ~]$ rpm -q selinux-policy
selinux-policy-3.7.15-4.fc13.noarch
[kaigai@saba ~]$ rpm -ql selinux-policy | grep dbadm
/usr/share/selinux/devel/include/roles/dbadm.if
However,
[kaigai@saba ~]$ rpm -ql selinux-policy-targeted | grep dbadm
Perhaps, modules-targeted.conf of the selinux-policy spec was not
updated when it upgraded to the upstream policy which containts
dbadm.*.
Could you fix it?
I think it is not added because it is not the prefered way of configuring a dbadm.
The prefered way is to implement it like the way that webadm is implemented:
dbadm.te:
policy_module(dbadm, 2.0.0)
role dbadm_r;
userdom_base_user_template(dbadm)
allow dbadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
files_dontaudit_search_all_dirs(dbadm_t)
files_manage_generic_locks(dbadm_t)
files_list_var(dbadm_t)
selinux_get_enforce_mode(dbadm_t)
seutil_domtrans_setfiles(dbadm_t)
logging_send_syslog_msg(dbadm_t)
userdom_dontaudit_search_user_home_dirs(dbadm_t)
optional_policy(`
mysql_admin(dbadm_t, dbadm_r)
')
optional_policy(`
postgresql_admin(dbadm_t, dbadm_r)
')
dbadm.if:
## <summary>DB administrator role</summary>
########################################
## <summary>
## Change to the DB administrator role.
## </summary>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`dbadm_role_change',`
gen_require(`
role dbadm_r;
')
allow $1 dbadm_r;
')
########################################
## <summary>
## Change from the DB administrator role.
## </summary>
## <desc>
## <p>
## Change from the DB administrator role to
## the specified role.
## </p>
## <p>
## This is an interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
## </p>
## </desc>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`dbadm_role_change_to',`
gen_require(`
role dbadm_r;
')
allow dbadm_r $1;
')
Patch to staff.te:
policy_module(mystaff, 1.0.0)
gen_require(`
type staff_t;
role staff_r;
')
optional_policy(`
dbadm_role_change(staff_r)
')
make -f /usr/share/selinux/devel/Makefile mystaff dbadm
sudo semodule -i mystaff dbadm
semanage user -m -L s0 -r s0-s0:c0.c1023 -R "staff_r system_r webadm_r dbadm_r
unconfined_r" -P user staff_u
useradd -Z staff_u testuser
passwd testuser
echo "testuser ALL=(ALL) ALL" >> /etc/sudoers
(.. login as testuser ..)
sudo -r dbadm_r -t dbadm_t service mysqld restart
(to enter dbadm root shell:)
sudo -r dbadm_r -t dbadm_t -s
(to enter webadm root shell:)
sudo -r webadm_r -t webadm_t -s
(to enter unconfined root shell:)
sudo -r unconfined_r -t unconfined_t -s)
Thanks,
--
KaiGai Kohei <kaigai(a)ak.jp.nec.com>
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux