A corresponding problem.
I found out a bug when we initialize the database with dbadm_r:dbadm_t
which belongs to sepgsql_admin_type attribute.
In the case when sepgsql_admin_type create a new database objects,
it does not have valid type_transition rules. So, it was failed.
Sorry, I didn't find out it for a long time.
And db_procedure:{execute} on the sepgsql_proc_exec_t might be necessary
for the administrative domain independently from sepgsql_unconfined_dbadm,
because we need to execute some of system defined procedures to look up
system tables.
Thanks,
(2010/04/08 21:15), Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
As Dominick stated. I prefer to think in terms of two different roles.
Login Roles, and Roles to execute in when you have privileges (IE Root).
Login Roles/Types
staff_t, user_t, unconfined_t, xguest_t, guest_t
Three interfaces can be used to create confined login users.
userdom_restricted_user_template(guest)
userdom_restricted_xwindows_user_template(xguest)
userdom_unpriv_user_template(staff)
Admin Roles/Types
logadm_t, webadm_t, secadm_t, auditadm_t
The following interface can be used to create an Admin ROle
userdom_base_user_template(logadm)
sysadm_t is sort of a hybrid, most people use it as an Admin Role.
I imagine that you login as a confined user and then use sudo/newrole to
switch roles to one of the admin roles.
Of course you are free to design your own system creating fully login
admin roles. Or creating addinitional non admin user roles.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org/
iEYEARECAAYFAku9yOUACgkQrlYvE4MpobNZBQCgh5RdBRm1ZPjtHNqI5Jf3UHRs
Bw0An3cao7Jw/TJUiS6LqB5C6C5ajyhd
=q1nL
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
--
KaiGai Kohei <kaigai(a)ak.jp.nec.com>