Dan,
http://people.fedoraproject.org/~dwalsh/SELinux/F11/system_userdomain.patch
It seems to me that the patch removes postgresql_role() from the userdom_unpriv_user_template(), but it can prevent staff_t to access SE-PostgreSQL.
Could you fix it please?
On 06/01/2009 02:03 AM, KaiGai Kohei wrote:
Dan,
http://people.fedoraproject.org/~dwalsh/SELinux/F11/system_userdomain.patch
It seems to me that the patch removes postgresql_role() from the userdom_unpriv_user_template(), but it can prevent staff_t to access SE-PostgreSQL.
Could you fix it please?
Ok I added
optional_policy(` postgresql_role(staff_r, staff_t) ')
to staff.te, I do not want all users to be able to manage postgresql. So this should be user type by user type decision.
Daniel J Walsh wrote:
On 06/01/2009 02:03 AM, KaiGai Kohei wrote:
Dan,
http://people.fedoraproject.org/~dwalsh/SELinux/F11/system_userdomain.patch
It seems to me that the patch removes postgresql_role() from the userdom_unpriv_user_template(), but it can prevent staff_t to access SE-PostgreSQL.
Could you fix it please?
Ok I added
optional_policy(` postgresql_role(staff_r, staff_t) ')
to staff.te, I do not want all users to be able to manage postgresql. So this should be user type by user type decision.
The postgresql_role() might be misnamed?
It does not allow permissions to manage PostgreSQL iteself. It only allows the given domain to perform as an unprivileged client with some of the UBAC specific types on SE-PostgreSQL.
The userdom_common_user_template() allows the given domain to connect to PostgreSQL (when allow_user_postgresql_connect is turned on), so I think basic permissions to the database objects should be also allowed.
selinux@lists.fedoraproject.org