Needs to prevent executing su.
Igor Borisovsky
igor at datanaut.com
Sun Jun 13 08:43:00 UTC 2004
I commented using su_domain() in the admin_domain() macro.
So root(in sysadm_t) can't execute su command at all.
But it will be better if root can't execute su command only for one certain
user.
-----Original Message-----
From: Russell Coker [mailto:russell at coker.com.au]
Sent: Saturday, June 12, 2004 12:19 PM
To: fedora-selinux-list at redhat.com
Cc: Igor Borisovsky
Subject: Re: Needs to prevent executing su.
On Fri, 11 Jun 2004 23:53, "Igor Borisovsky" <igor at datanaut.com> wrote:
> root operates as server administrator. Now selinux policy
> configuration forbids root access to the postgresql data files.
> Postgresql database contains secure data. Therefore root must not be
> able to access to this information.
> Instead of there is database administrator. This person is authorized
> to do all database related operations.
> So I need to prevent executing 'su postgres' for root.
The solution is that you use SE Linux to control which domains can access
the files in question, and not use Unix permissions to do this.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
More information about the fedora-selinux-list
mailing list