9461b60657
Remove permissive domain from cmirrord and dontaudit sys_tty_config Split out unconfined_domain() calls from other unconfined_ calls so we can disable unconfined.pp and leave unconfineduser virt needs to be able to read processes to clearance for MLS
66 lines
1.3 KiB
Plaintext
66 lines
1.3 KiB
Plaintext
policy_module(dbadm, 1.0.0)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow dbadm to manage files in users home directories
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(dbadm_manage_user_files, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow dbadm to read files in users home directories
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(dbadm_read_user_files, false)
|
|
|
|
role dbadm_r;
|
|
|
|
userdom_base_user_template(dbadm)
|
|
|
|
########################################
|
|
#
|
|
# database admin local policy
|
|
#
|
|
|
|
allow dbadm_t self:capability { dac_override dac_read_search sys_ptrace };
|
|
|
|
files_dontaudit_search_all_dirs(dbadm_t)
|
|
files_delete_generic_locks(dbadm_t)
|
|
files_list_var(dbadm_t)
|
|
|
|
selinux_get_enforce_mode(dbadm_t)
|
|
|
|
logging_send_syslog_msg(dbadm_t)
|
|
logging_send_audit_msgs(dbadm_t)
|
|
|
|
userdom_dontaudit_search_user_home_dirs(dbadm_t)
|
|
|
|
tunable_policy(`dbadm_manage_user_files',`
|
|
userdom_manage_user_home_content_files(dbadm_t)
|
|
userdom_read_user_tmp_files(dbadm_t)
|
|
userdom_write_user_tmp_files(dbadm_t)
|
|
')
|
|
|
|
tunable_policy(`dbadm_read_user_files',`
|
|
userdom_read_user_home_content_files(dbadm_t)
|
|
userdom_read_user_tmp_files(dbadm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
mysql_admin(dbadm_t, dbadm_r)
|
|
')
|
|
|
|
optional_policy(`
|
|
postgresql_admin(dbadm_t, dbadm_r)
|
|
')
|
|
|
|
optional_policy(`
|
|
sudo_role_template(dbadm, dbadm_r, dbadm_t)
|
|
')
|