I used macro full_user_role() for pgsql type. Then I corrected policy.conf file manually. So definitions for the new types looks like this: type pgsql_home_dir_t, file_type, home_dir_type, home_type, user_home_dir_type, user_home_type; type pgsql_home_t, file_type, home_type, user_home_type; (I removed sysadmfile attribute) And finally I launched 'make load'. After that /var/lib/pgsql is still accessible for sysadm_t. -----Original Message----- From: Russell Coker [mailto:russell@xxxxxxxxxxxx] Sent: Monday, June 07, 2004 12:23 PM To: fedora-selinux-list@xxxxxxxxxx Cc: Igor Borisovsky; 'Stephen Smalley'; SELinux@xxxxxxxxxxxxx Subject: Re: Access to the postgresql data files On Mon, 7 Jun 2004 17:35, "Igor Borisovsky" <igor@xxxxxxxxxxxx> wrote: > Ok. I see you. > Can you explain me the following thing? > As I understand in selinux all permissions must be explicitly granted. > Hence there is permission to allow sysadm_t to enter the > /var/lib/pgsql directory. > I can't find something like this: > allow sysadm_t pgsql_home_dir_t:dir {...}; It is interesting how > sysadm_t type has access to /var/lib/pgsql directory? The type pgsql_home_dir_t has attribute sysadmfile, which means sysadm_t gets full access. Remove the sysadmfile attribute and the access will be denied. But if the attribute is granted through the full_user_role() macro then it's probably easiest to just define a new type for this. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
