On Fri, 4 Jun 2004 01:43, "Igor Borisovsky" <igor@xxxxxxxxxxxx> wrote: > Hi. > I have a question about selinux policy configuration for FC2. > I need to forbid access to the postgresql data files from user root. [...] > I guess i need to find and revoke this permission from sysadm_r role. > After looking at the policy.conf file I can't understand this. > So how can i prevent access to postgresql data files from user root? sysadm_t domain (the default domain for sysadm_r role) has access to almost everything on the system. sysadm_t can run fdisk, useradd, vipw, etc. You can't realistically deny sysadm_t access to any resource without significant changes to the entire policy (such things have been discussed but are a long way from being implemented). You can deny the root user sysadm_r role to deny them such access (but make sure you grant another user sysadm_r so that you can still administer your system). -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
