Hi All, I'm looking for any implementation suggestions for my following the following: on a database server that restricts logins to confined users, allow selinux users with sysadm_r the ability to administer most aspects of the system, but restrict access to some mysql database files. I approached this by labeling the mysql database files with an mcs category (c127), and then added a domain transition to the mysqld process to run with a context that includes c127. The confined login was configured to initialize with s0:c0. Finally (and I'm really not sure this was the best way), I needed to ensure the administrator could not disable/circumvent selinux so I added the following restriction to the newrole and setenforce binaries (c0.c1023). My test user (also in the sudoers file) can do administrative functions, cannot access the database files, and cannot disable selinux. Any suggestions on how to improve on what I have done? --Stephen _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
