I commented using su_domain() in the admin_domain() macro. So root(in sysadm_t) can't execute su command at all. But it will be better if root can't execute su command only for one certain user. -----Original Message----- From: Russell Coker [mailto:russell@xxxxxxxxxxxx] Sent: Saturday, June 12, 2004 12:19 PM To: fedora-selinux-list@xxxxxxxxxx Cc: Igor Borisovsky Subject: Re: Needs to prevent executing su. On Fri, 11 Jun 2004 23:53, "Igor Borisovsky" <igor@xxxxxxxxxxxx> wrote: > root operates as server administrator. Now selinux policy > configuration forbids root access to the postgresql data files. > Postgresql database contains secure data. Therefore root must not be > able to access to this information. > Instead of there is database administrator. This person is authorized > to do all database related operations. > So I need to prevent executing 'su postgres' for root. The solution is that you use SE Linux to control which domains can access the files in question, and not use Unix permissions to do this. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
