Creating a new role
Roles are part of SELinux policies. In order to create a new role, it isn't possible to just invoke a few semanage commands. Instead, an SELinux policy module will need to be created.
How to do it…
The SELinux policy needs to be updated in order to create a new role. The following steps can be used to do just that:
Create a new policy module named after the role to be created, such as
pgsqladm(for a PostgreSQL administration role).In the policy module, call the
userdom_login_user_templateinterface:userdom_login_user_template(pgsqladm)
Assign the proper privileges to the
pgsqladm_rrole andpgsqladm_ttype:postgresql_admin(pgsqladm_t, pgsqladm_r)
Edit the
default_typefile in/etc/selinux/mcs/contexts/to makepgsqladm_tthe default type for thepgsqladm_rrole:pgsqladm_r:pgsqladm_t
Edit the
default_contextsfile in/etc/selinux/mcs/contexts/to inform the system to which types a transition has to be made when a user switch is triggered by an application. For instance, for...
