Daniel J Walsh wrote: > On 06/01/2009 02:03 AM, KaiGai Kohei wrote: >> Dan, >> >> http://people.fedoraproject.org/~dwalsh/SELinux/F11/system_userdomain.patch >> >> It seems to me that the patch removes postgresql_role() from the >> userdom_unpriv_user_template(), but it can prevent staff_t to access >> SE-PostgreSQL. >> >> Could you fix it please? > Ok I added > > > optional_policy(` > postgresql_role(staff_r, staff_t) > ') > > to staff.te, I do not want all users to be able to manage postgresql. > So this should be user type by user type decision. The postgresql_role() might be misnamed? It does not allow permissions to manage PostgreSQL iteself. It only allows the given domain to perform as an unprivileged client with some of the UBAC specific types on SE-PostgreSQL. The userdom_common_user_template() allows the given domain to connect to PostgreSQL (when allow_user_postgresql_connect is turned on), so I think basic permissions to the database objects should be also allowed. -- KaiGai Kohei <kaigai@xxxxxxxxxxxx> -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
