(2010/04/08 21:15), Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
As Dominick stated. I prefer to think in terms of two different roles.
Login Roles, and Roles to execute in when you have privileges (IE Root).
Login Roles/Types
staff_t, user_t, unconfined_t, xguest_t, guest_t
Three interfaces can be used to create confined login users.
userdom_restricted_user_template(guest)
userdom_restricted_xwindows_user_template(xguest)
userdom_unpriv_user_template(staff)
Admin Roles/Types
logadm_t, webadm_t, secadm_t, auditadm_t
The following interface can be used to create an Admin ROle
userdom_base_user_template(logadm)
sysadm_t is sort of a hybrid, most people use it as an Admin Role.
I imagine that you login as a confined user and then use sudo/newrole to
switch roles to one of the admin roles.
The attached patch revises roles/dbadm.te (to be applied on the upstream
reference policy). It uses userdom_base_user_template() instead of the
userdom_unpriv_user_template(), and should be launched via sudo/newrole.
In the default, it intends the dbadm_r role to be launched by staff_r role.
What I did)
[root@saba ~]# semodule -i ~kaigai/repo/refpolicy/policy/modules/roles/dbadm.pp
[root@saba ~]# semanage user -m -P user -r s0-s0:c0.c1023 -R "dbadm_r staff_r
system_r" ymj_u
[root@saba ~]# semanage login -a -s ymj_u ymj
[root@saba ~]# echo "ymj ALL=(ALL) TYPE=dbadm_t ROLE=dbadm_r
NOPASSWD:/sbin/service" >> /etc/sudoers
[root@saba ~]# cp /etc/selinux/targeted/contexts/users/staff_u \
/etc/selinux/targeted/contexts/users/ymj_u
[root@saba ~]# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
guest_u user s0 s0 guest_r
root user s0 s0-s0:c0.c1023 staff_r sysadm_r
system_r unconfined_r
staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r
system_r unconfined_r
sysadm_u user s0 s0-s0:c0.c1023 sysadm_r
system_u user s0 s0-s0:c0.c1023 system_r
unconfined_r
unconfined_u user s0 s0-s0:c0.c1023 system_r
unconfined_r
user_u user s0 s0 user_r
webadm_u user s0 s0 webadm_r
xguest_u user s0 s0 xguest_r
ymj_u user s0 s0-s0:c0.c1023 dbadm_r staff_r
system_r
[root@saba ~]# semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ unconfined_u s0-s0:c0.c1023
root unconfined_u s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023
ymj ymj_u s0
[root@saba ~]# ssh ymj@localhost
ymj@localhost's password:
Last login: Fri Apr 9 13:59:32 2010 from localhost
[ymj@saba ~]$ id -Z
ymj_u:staff_r:staff_t:s0
[ymj@saba ~]$ sudo service sepostgresql restart
Stopping sepostgresql service: [ OK ]
Starting sepostgresql service: [ OK ]
[ymj@saba ~]$ ps -AZ | grep sepostgres
ymj_u:system_r:postgresql_t:s0 1171 ? 00:00:01 sepostgres
ymj_u:system_r:postgresql_t:s0 1176 ? 00:00:00 sepostgres
ymj_u:system_r:postgresql_t:s0 1177 ? 00:00:00 sepostgres
ymj_u:system_r:postgresql_t:s0 1178 ? 00:00:00 sepostgres
ymj_u:system_r:postgresql_t:s0 1179 ? 00:00:00 sepostgres
ymj_u:system_r:postgresql_t:s0 1180 ? 00:00:00 sepostgres
[ymj@saba ~]$ newrole -r dbadm_r -t dbadm_t
Password:
[ymj@saba ~]$ psql postgres
psql (8.4.3, server 9.0alpha5)
WARNING: psql version 8.4, server version 9.0.
Some psql features might not work.
Type "help" for help.
postgres=> SELECT sepgsql_getcon();
sepgsql_getcon
--------------------------
ymj_u:dbadm_r:dbadm_t:s0
(1 row)
postgres=> CREATE TABLE my_table (a int, b text);
CREATE TABLE
postgres=> SELECT * FROM my_table;
ERROR: SELinux: security policy violation
Of course you are free to design your own system creating fully
login
admin roles. Or creating addinitional non admin user roles.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org/
iEYEARECAAYFAku9yOUACgkQrlYvE4MpobNZBQCgh5RdBRm1ZPjtHNqI5Jf3UHRs
Bw0An3cao7Jw/TJUiS6LqB5C6C5ajyhd
=q1nL
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
--
KaiGai Kohei <kaigai(a)ak.jp.nec.com>