[BUGFIX] lack of type transition on dbadm domain (Re: dbadm.pp is not available in selinux-policy package)

KaiGai Kohei kaigai at ak.jp.nec.com
Fri Apr 9 05:40:22 UTC 2010 

A corresponding problem.

I found out a bug when we initialize the database with dbadm_r:dbadm_t
which belongs to sepgsql_admin_type attribute.

In the case when sepgsql_admin_type create a new database objects,
it does not have valid type_transition rules. So, it was failed.
Sorry, I didn't find out it for a long time.

And db_procedure:{execute} on the sepgsql_proc_exec_t might be necessary
for the administrative domain independently from sepgsql_unconfined_dbadm,
because we need to execute some of system defined procedures to look up
system tables.

Thanks,

(2010/04/08 21:15), Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> As Dominick stated.  I prefer to think in terms of two different roles.
>   Login Roles, and Roles to execute in when you have privileges (IE Root).
> 
> Login Roles/Types
> staff_t, user_t, unconfined_t, xguest_t, guest_t
> 
> Three interfaces can be used to create confined login users.
> 
> userdom_restricted_user_template(guest)
> userdom_restricted_xwindows_user_template(xguest)
> userdom_unpriv_user_template(staff)
> 
> 
> Admin Roles/Types
> logadm_t, webadm_t, secadm_t, auditadm_t
> 
> The following interface can be used to create an Admin ROle
> userdom_base_user_template(logadm)
> 
> 
> sysadm_t is sort of a hybrid, most people use it as an Admin Role.
> 
> 
> I imagine that you login as a confined user and then use sudo/newrole to
> switch roles to one of the admin roles.
> 
> Of course you are free to design your own system creating fully login
> admin roles. Or creating addinitional non admin user roles.
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.14 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAku9yOUACgkQrlYvE4MpobNZBQCgh5RdBRm1ZPjtHNqI5Jf3UHRs
> Bw0An3cao7Jw/TJUiS6LqB5C6C5ajyhd
> =q1nL
> -----END PGP SIGNATURE-----
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 


-- 
KaiGai Kohei <kaigai at ak.jp.nec.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: refpolicy-pgsql-fixes.1.patch
Type: text/x-patch
Size: 1379 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100409/6369d3e6/attachment.bin

More information about the selinux mailing list