staff_t unable to connect SE-PostgreSQL
KaiGai Kohei
kaigai at kaigai.gr.jp
Mon Jun 1 13:43:59 UTC 2009
Daniel J Walsh wrote:
> On 06/01/2009 02:03 AM, KaiGai Kohei wrote:
>> Dan,
>>
>> http://people.fedoraproject.org/~dwalsh/SELinux/F11/system_userdomain.patch
>>
>> It seems to me that the patch removes postgresql_role() from the
>> userdom_unpriv_user_template(), but it can prevent staff_t to access
>> SE-PostgreSQL.
>>
>> Could you fix it please?
> Ok I added
>
>
> optional_policy(`
> postgresql_role(staff_r, staff_t)
> ')
>
> to staff.te, I do not want all users to be able to manage postgresql.
> So this should be user type by user type decision.
The postgresql_role() might be misnamed?
It does not allow permissions to manage PostgreSQL iteself.
It only allows the given domain to perform as an unprivileged client with
some of the UBAC specific types on SE-PostgreSQL.
The userdom_common_user_template() allows the given domain to connect to
PostgreSQL (when allow_user_postgresql_connect is turned on), so I think
basic permissions to the database objects should be also allowed.
--
KaiGai Kohei <kaigai at kaigai.gr.jp>
More information about the fedora-selinux-list
mailing list