root operates as server administrator. Now selinux policy configuration forbids root access to the postgresql data files. Postgresql database contains secure data. Therefore root must not be able to access to this information. Instead of there is database administrator. This person is authorized to do all database related operations. So I need to prevent executing 'su postgres' for root. -----Original Message----- From: Russell Coker [mailto:russell@xxxxxxxxxxxx] Sent: Friday, June 11, 2004 5:36 PM To: fedora-selinux-list@xxxxxxxxxx Cc: Igor Borisovsky Subject: Re: Needs to prevent executing su. On Fri, 11 Jun 2004 23:13, "Igor Borisovsky" <igor@xxxxxxxxxxxx> wrote: > How to prevent executing 'su postgres' command by root? If the identity "root" is only permitted the "user_r" role (as implemented on several SE Linux machines) then they will not be able to run the su command, or perform other administrative tasks (including access to postgres data files). If "root" operates in the traditional unix manner (IE having full control over the machine) then why try to restrict it from "su postgres" as it can already access all such files? -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
