rpms/selinux-policy
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Dbadm updates from KaiGai Kohei.

Browse Source
This commit is contained in:
Chris PeBenito 2010-08-19 08:41:39 -04:00
parent ab8f919e6f
commit c62f1bef77
5 changed files with 63 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
Changelog
View File

@ -1,3 +1,4 @@
- Dbadm updates from KaiGai Kohei.
- Virtio disk file context update from Mika Pfluger. - Virtio disk file context update from Mika Pfluger.
- Increase bindreservport range to 512-1024 in corenetwork, from Dan Walsh. - Increase bindreservport range to 512-1024 in corenetwork, from Dan Walsh.
- Add JIT usage for freshclam. - Add JIT usage for freshclam.

19
policy/modules/kernel/files.if
View File

@ -5127,6 +5127,25 @@ interface(`files_getattr_generic_locks',`
getattr_files_pattern($1, var_lock_t, var_lock_t) getattr_files_pattern($1, var_lock_t, var_lock_t)
') ')
########################################
## <summary>
## Delete generic lock files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`files_delete_generic_locks',`
gen_require(`
type var_t, var_lock_t;
')
allow $1 var_t:dir search_dir_perms;
delete_files_pattern($1, var_lock_t, var_lock_t)
')
######################################## ########################################
## <summary> ## <summary>
## Create, read, write, and delete generic ## Create, read, write, and delete generic

2
policy/modules/roles/dbadm.if
View File

@ -25,7 +25,7 @@ interface(`dbadm_role_change',`
## </summary> ## </summary>
## <desc> ## <desc>
## <p> ## <p>
## Change from the web administrator role to ## Change from the database administrator role to
## the specified role. ## the specified role.
## </p> ## </p>
## <p> ## <p>

48
policy/modules/roles/dbadm.te
View File

@ -5,15 +5,52 @@ policy_module(dbadm, 1.0.0)
# Declarations # Declarations
# #
## <desc>
## <p>
## Allow dbadm to manage files in users home directories
## </p>
## </desc>
gen_tunable(dbadm_manage_user_files, false)
## <desc>
## <p>
## Allow dbadm to read files in users home directories
## </p>
## </desc>
gen_tunable(dbadm_read_user_files, false)
role dbadm_r; role dbadm_r;
userdom_unpriv_user_template(dbadm) userdom_base_user_template(dbadm)
######################################## ########################################
# #
# database admin local policy # database admin local policy
# #
allow dbadm_t self:capability { dac_override dac_read_search sys_ptrace };
files_dontaudit_search_all_dirs(dbadm_t)
files_delete_generic_locks(dbadm_t)
files_list_var(dbadm_t)
selinux_get_enforce_mode(dbadm_t)
logging_send_syslog_msg(dbadm_t)
userdom_dontaudit_search_user_home_dirs(dbadm_t)
tunable_policy(`dbadm_manage_user_files',`
userdom_manage_user_home_content_files(dbadm_t)
userdom_read_user_tmp_files(dbadm_t)
userdom_write_user_tmp_files(dbadm_t)
')
tunable_policy(`dbadm_read_user_files',`
userdom_read_user_home_content_files(dbadm_t)
userdom_read_user_tmp_files(dbadm_t)
')
optional_policy(` optional_policy(`
mysql_admin(dbadm_t, dbadm_r) mysql_admin(dbadm_t, dbadm_r)
') ')
@ -21,12 +58,3 @@ optional_policy(`
optional_policy(` optional_policy(`
postgresql_admin(dbadm_t, dbadm_r) postgresql_admin(dbadm_t, dbadm_r)
') ')
# For starting up daemon processes
optional_policy(`
su_role_template(dbadm, dbadm_r, dbadm_t)
')
optional_policy(`
sudo_role_template(dbadm, dbadm_r, dbadm_t)
')

4
policy/modules/roles/staff.te
View File

@ -22,6 +22,10 @@ optional_policy(`
auditadm_role_change(staff_r) auditadm_role_change(staff_r)
') ')
optional_policy(`
dbadm_role_change(staff_r)
')
optional_policy(` optional_policy(`
postgresql_role(staff_r, staff_t) postgresql_role(staff_r, staff_t)
') ')