Creating roles and user domains
One of the best features of SELinux is its ability to confine end users and only grant them the rights they need to do their job. To accomplish this, we need to create a restricted user domain that these users should use (either immediately or after switching from their standard role to the more privileged role).
Such user domains and roles need to be created through SELinux policy enhancements. These enhancements, however, require a deep understanding of the available permission checks, reference policy macros, and more, which one can only obtain through experience (or assistance). Still, that shouldn't prevent us from providing a working example of how to create a special end user role and domain for the PostgreSQL administration.
Creating the pgsql_admin.te file
First, let's look at the SELinux policy file that includes our user related rules. Each line is commented to explain why the next policy line is used.
The pgsql_admin.te
file looks as follows:
# cat...