From c62f1bef77c839295b49bdddc7bfd13df780bf4e Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 19 Aug 2010 08:41:39 -0400 Subject: [PATCH] Dbadm updates from KaiGai Kohei. --- Changelog | 1 + policy/modules/kernel/files.if | 19 ++++++++++++++ policy/modules/roles/dbadm.if | 2 +- policy/modules/roles/dbadm.te | 48 +++++++++++++++++++++++++++------- policy/modules/roles/staff.te | 4 +++ 5 files changed, 63 insertions(+), 11 deletions(-) diff --git a/Changelog b/Changelog index e0fcc589..cbb71cf9 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,4 @@ +- Dbadm updates from KaiGai Kohei. - Virtio disk file context update from Mika Pfluger. - Increase bindreservport range to 512-1024 in corenetwork, from Dan Walsh. - Add JIT usage for freshclam. diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 8d3dfad7..5302dac4 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -5127,6 +5127,25 @@ interface(`files_getattr_generic_locks',` getattr_files_pattern($1, var_lock_t, var_lock_t) ') +######################################## +## +## Delete generic lock files. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_delete_generic_locks',` + gen_require(` + type var_t, var_lock_t; + ') + + allow $1 var_t:dir search_dir_perms; + delete_files_pattern($1, var_lock_t, var_lock_t) +') + ######################################## ## ## Create, read, write, and delete generic diff --git a/policy/modules/roles/dbadm.if b/policy/modules/roles/dbadm.if index 92d23c58..56f2af74 100644 --- a/policy/modules/roles/dbadm.if +++ b/policy/modules/roles/dbadm.if @@ -25,7 +25,7 @@ interface(`dbadm_role_change',` ## ## ##

-## Change from the web administrator role to +## Change from the database administrator role to ## the specified role. ##

##

diff --git a/policy/modules/roles/dbadm.te b/policy/modules/roles/dbadm.te index 2ddeb706..1875064e 100644 --- a/policy/modules/roles/dbadm.te +++ b/policy/modules/roles/dbadm.te @@ -5,15 +5,52 @@ policy_module(dbadm, 1.0.0) # Declarations # +## +##

+## Allow dbadm to manage files in users home directories +##

+## +gen_tunable(dbadm_manage_user_files, false) + +## +##

+## Allow dbadm to read files in users home directories +##

+## +gen_tunable(dbadm_read_user_files, false) + role dbadm_r; -userdom_unpriv_user_template(dbadm) +userdom_base_user_template(dbadm) ######################################## # # database admin local policy # +allow dbadm_t self:capability { dac_override dac_read_search sys_ptrace }; + +files_dontaudit_search_all_dirs(dbadm_t) +files_delete_generic_locks(dbadm_t) +files_list_var(dbadm_t) + +selinux_get_enforce_mode(dbadm_t) + +logging_send_syslog_msg(dbadm_t) + +userdom_dontaudit_search_user_home_dirs(dbadm_t) + +tunable_policy(`dbadm_manage_user_files',` + userdom_manage_user_home_content_files(dbadm_t) + userdom_read_user_tmp_files(dbadm_t) + userdom_write_user_tmp_files(dbadm_t) +') + +tunable_policy(`dbadm_read_user_files',` + userdom_read_user_home_content_files(dbadm_t) + userdom_read_user_tmp_files(dbadm_t) +') + optional_policy(` mysql_admin(dbadm_t, dbadm_r) ') @@ -21,12 +58,3 @@ optional_policy(` optional_policy(` postgresql_admin(dbadm_t, dbadm_r) ') - -# For starting up daemon processes -optional_policy(` - su_role_template(dbadm, dbadm_r, dbadm_t) -') - -optional_policy(` - sudo_role_template(dbadm, dbadm_r, dbadm_t) -') diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te index a589c552..0c9876c5 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -22,6 +22,10 @@ optional_policy(` auditadm_role_change(staff_r) ') +optional_policy(` + dbadm_role_change(staff_r) +') + optional_policy(` postgresql_role(staff_r, staff_t) ')