On Wed, Dec 2, 2009 at 3:30 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> Red Hat's
> policy has been trying to cope with cases like "which directories should
> Apache be allowed to read, *given that it's running a Red-Hat-standard
> configuration*?" That's far more circumscribed than any useful database
> policy would be, because database applications aren't nearly that
> standardized.
Actually that does sound useful for Redhat packages which themselves
use database. So for example if I install my Redhat spam filter it
should be able to automatically run createdb and load its schema and
start using postgres as a backing store. Currently I think a lot of
packages use sqlite by default just because manual intervention is
required to set up postgres.
So I'm unclear what advantage this has for Redhat and sysadmins over
just setting up the database directly but then I'm unclear what the
advantage is for SELinux in the first place so I'm probably just not
in the target audience for it. But this seems like it would be
directly analogous. I suppose an admin would be able to delegate more
control to a new admin
--
greg