Access to the postgresql data files
Russell Coker
russell at coker.com.au
Fri Jun 4 06:37:00 UTC 2004
On Fri, 4 Jun 2004 01:43, "Igor Borisovsky" <igor at datanaut.com> wrote:
> Hi.
> I have a question about selinux policy configuration for FC2.
> I need to forbid access to the postgresql data files from user root.
[...]
> I guess i need to find and revoke this permission from sysadm_r role.
> After looking at the policy.conf file I can't understand this.
> So how can i prevent access to postgresql data files from user root?
sysadm_t domain (the default domain for sysadm_r role) has access to almost
everything on the system. sysadm_t can run fdisk, useradd, vipw, etc.
You can't realistically deny sysadm_t access to any resource without
significant changes to the entire policy (such things have been discussed but
are a long way from being implemented).
You can deny the root user sysadm_r role to deny them such access (but make
sure you grant another user sysadm_r so that you can still administer your
system).
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
More information about the fedora-selinux-list
mailing list