Re: Needs to prevent executing su.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 14 Jun 2004 17:48, "Igor Borisovsky" <igor@xxxxxxxxxxxx> wrote:
> Let me explain in more details my problem.
> What I did:
> 1. prevented root access to the postgresql data files located at
> /var/lib/pgsql;

Presumably you mean that you prevented sysadm_t access.

> 2. created custom pgsql_t type and pgsql_r role;
> 3. created selinux user postgres:
> 	user postgres roles pgsql_r;
> 4. all postgresql directories and files has a proper types(e.g.
> pgsql_home_dir_t, pgsql_home_t).
> Therefore I have two persons: root and postgres. User root is the server
> administrator, but
> he can't access to the postgresql data files. And user postgres is the
> database administrator.
> He will do all database related operations(e.g. database backup). Hence
> postgres has access
> to the postgresql data files. So for security reason i need to prevent
> transition from user root to user postgres.

Then you will need to prevent sysadm_t from accessing pgsql_home_dir_t and 
pgsql_home_t as well...

You could change macros/program/su_macros.te, replace the following line:
domain_trans($1_su_t, shell_exec_t, userdomain)
With:
domain_trans($1_su_t, shell_exec_t, { user_t staff_t sysadm_t })

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux