On Mon, 7 Jun 2004 17:35, "Igor Borisovsky" <igor@xxxxxxxxxxxx> wrote:
> Ok. I see you.
> Can you explain me the following thing?
> As I understand in selinux all permissions
> must be explicitly granted. Hence there is
> permission to allow sysadm_t to enter the /var/lib/pgsql directory.
> I can't find something like this:
> allow sysadm_t pgsql_home_dir_t:dir {...};
> It is interesting how sysadm_t type has access to /var/lib/pgsql directory?
The type pgsql_home_dir_t has attribute sysadmfile, which means sysadm_t gets
full access. Remove the sysadmfile attribute and the access will be denied.
But if the attribute is granted through the full_user_role() macro then it's
probably easiest to just define a new type for this.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
