Creating roles and user domains
One of the best features of SELinux is its ability to confine end users and only grant them the rights they need to do their job. To accomplish this, we need to create a restricted user domain that these users should use (either immediately, or after switching from their standard role to the more privileged role).
Such user domains and roles need to be created through SELinux policy enhancements. These enhancements, however, require a deep understanding of the available permission checks, reference policy macros and more, which one can only obtain through experience (or assistance). Still, that shouldn't prevent us from giving a working example of how to create a special end user role and domain for the PostgreSQL administration.
The pgsql_admin role and user
First, let us look at the file. Each line is commented to explain why the various methods are used as follows:
policy_module(pgsql_admin, 1.0) # Define the pgsql_admin_r role role pgsql_admin_r; # Create...
