Needs to prevent executing su.
Igor Borisovsky
igor at datanaut.com
Mon Jun 14 07:48:21 UTC 2004
>If you tweaked the policy such that sysadm_t can't access the files,
>and if the postgres user does not have a SE Linux identity then su to
>the postgres user will not grant access to the files.
Let me explain in more details my problem.
What I did:
1. prevented root access to the postgresql data files located at
/var/lib/pgsql;
2. created custom pgsql_t type and pgsql_r role;
3. created selinux user postgres:
user postgres roles pgsql_r;
4. all postgresql directories and files has a proper types(e.g.
pgsql_home_dir_t, pgsql_home_t).
Therefore I have two persons: root and postgres. User root is the server
administrator, but
he can't access to the postgresql data files. And user postgres is the
database administrator.
He will do all database related operations(e.g. database backup). Hence
postgres has access
to the postgresql data files. So for security reason i need to prevent
transition from user root to user postgres.
More information about the fedora-selinux-list
mailing list