Hi. I have a question about selinux policy configuration for FC2. I need to forbid access to the postgresql data files from user root. I guess i have to create certain type for postgresql. Let's name this type pgsql. Thus i have something like that: [root@selinux pgsql]# pwd /var/lib/pgsql [root@selinux pgsql]# ls -aZ drwx------+ postgres postgres postgres:object_r:pgsql_home_dir_t . drwxr-xr-x root root system_u:object_r:var_lib_t .. drwx------ postgres postgres postgres:object_r:pgsql_home_dir_t backups -rw------- postgres postgres postgres:object_r:pgsql_home_t .bash_history -rw-r--r-- postgres postgres postgres:object_r:pgsql_home_t .bash_profile drwx------ postgres postgres postgres:object_r:pgsql_home_dir_t data -rw-r--r-- postgres postgres postgres:object_r:pgsql_home_t initdb.i18n drwxr-xr-x+ postgres postgres postgres:object_r:pgsql_home_t .mc [root@selinux pgsql]# So far user root within sysadm_r role has access to the postgresql data files. I guess i need to find and revoke this permission from sysadm_r role. After looking at the policy.conf file I can't understand this. So how can i prevent access to postgresql data files from user root? Thanks.
On Fri, 4 Jun 2004 01:43, "Igor Borisovsky" igor@datanaut.com wrote:
Hi. I have a question about selinux policy configuration for FC2. I need to forbid access to the postgresql data files from user root.
[...]
I guess i need to find and revoke this permission from sysadm_r role. After looking at the policy.conf file I can't understand this. So how can i prevent access to postgresql data files from user root?
sysadm_t domain (the default domain for sysadm_r role) has access to almost everything on the system. sysadm_t can run fdisk, useradd, vipw, etc.
You can't realistically deny sysadm_t access to any resource without significant changes to the entire policy (such things have been discussed but are a long way from being implemented).
You can deny the root user sysadm_r role to deny them such access (but make sure you grant another user sysadm_r so that you can still administer your system).
selinux@lists.fedoraproject.org