Access to the postgresql data files

Stephen Smalley sds at epoch.ncsc.mil
Mon Jun 7 11:59:37 UTC 2004


On Mon, 2004-06-07 at 04:59, Igor Borisovsky wrote:
> I used macro full_user_role() for pgsql type.
> Then I corrected policy.conf file manually. So definitions for the new types
> looks like this:
> type pgsql_home_dir_t, file_type, home_dir_type, home_type,
> user_home_dir_type, user_home_type;
> type pgsql_home_t, file_type, home_type, user_home_type;
> (I removed sysadmfile attribute)
> And finally I launched 'make load'. After that /var/lib/pgsql is still
> accessible for sysadm_t.

Did you also disable the unrestricted_admin and unlimitedServices
tunables in tunable.te, as I said in my original reply?

To further elaborate on what Russell said, type attributes can be
associated with types and then used in allow rules (or other rules) to
apply a single rule to the set of all types with that attribute.  Hence,
simply grep'ing policy.conf isn't a reliable means of checking access. 
If you want to perform policy analysis, look at apol from the setools
and setools-gui packages.

-- 
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency




More information about the fedora-selinux-list mailing list