mysql policy from Dan Walsh
My changes to patch: A couple changes to match style. Removed files_dontaudit_search_all_mountpoints(mysqld_safe_t), it doesn't exist in refpolicy
This commit is contained in:
parent
2f0e3a4e7e
commit
12a6a53f63
@ -1,5 +1,43 @@
|
||||
## <summary>Policy for MySQL</summary>
|
||||
|
||||
######################################
|
||||
## <summary>
|
||||
## Execute MySQL in the mysql domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`mysql_domtrans',`
|
||||
gen_require(`
|
||||
type mysqld_t, mysqld_exec_t;
|
||||
')
|
||||
|
||||
domtrans_pattern($1,mysqld_exec_t,mysqld_t)
|
||||
|
||||
')
|
||||
|
||||
######################################
|
||||
## <summary>
|
||||
## Execute MySQL server in the mysql domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`mysql_domtrans_mysql_safe',`
|
||||
gen_require(`
|
||||
type mysqld_safe_t, mysqld_safe_exec_t;
|
||||
')
|
||||
|
||||
domtrans_pattern($1,mysqld_safe_exec_t, mysqld_safe_t)
|
||||
')
|
||||
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send a generic signal to MySQL.
|
||||
|
@ -6,6 +6,13 @@ policy_module(mysql, 1.11.2)
|
||||
# Declarations
|
||||
#
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow mysqld to connect to all ports
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(mysql_connect_any, false)
|
||||
|
||||
type mysqld_t;
|
||||
type mysqld_exec_t;
|
||||
init_daemon_domain(mysqld_t, mysqld_exec_t)
|
||||
@ -47,7 +54,7 @@ files_pid_file(mysqlmanagerd_var_run_t)
|
||||
# Local policy
|
||||
#
|
||||
|
||||
allow mysqld_t self:capability { dac_override setgid setuid sys_resource net_bind_service };
|
||||
allow mysqld_t self:capability { dac_override ipc_lock setgid setuid sys_resource net_bind_service };
|
||||
dontaudit mysqld_t self:capability sys_tty_config;
|
||||
allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
|
||||
allow mysqld_t self:fifo_file rw_fifo_file_perms;
|
||||
@ -125,6 +132,11 @@ ifdef(`distro_redhat',`
|
||||
type_transition mysqld_t mysqld_db_t:sock_file mysqld_var_run_t;
|
||||
')
|
||||
|
||||
tunable_policy(`mysql_connect_any',`
|
||||
corenet_tcp_connect_all_ports(mysqld_t)
|
||||
corenet_sendrecv_all_client_packets(mysqld_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
daemontools_service_domain(mysqld_t, mysqld_exec_t)
|
||||
')
|
||||
@ -142,28 +154,35 @@ optional_policy(`
|
||||
# Local mysqld_safe policy
|
||||
#
|
||||
|
||||
allow mysqld_safe_t self:capability { dac_override fowner chown };
|
||||
allow mysqld_safe_t self:capability { chown dac_override fowner kill };
|
||||
dontaudit mysqld_safe_t self:capability sys_ptrace;
|
||||
allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
|
||||
|
||||
domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
|
||||
|
||||
allow mysqld_safe_t mysqld_log_t:file manage_file_perms;
|
||||
|
||||
allow mysqld_safe_t mysqld_var_run_t:sock_file unlink;
|
||||
manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
|
||||
delete_sock_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
|
||||
|
||||
domain_read_all_domains_state(mysqld_safe_t)
|
||||
|
||||
files_dontaudit_getattr_all_dirs(mysqld_safe_t)
|
||||
|
||||
logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
|
||||
|
||||
kernel_read_system_state(mysqld_safe_t)
|
||||
kernel_read_kernel_sysctls(mysqld_safe_t)
|
||||
|
||||
corecmd_exec_bin(mysqld_safe_t)
|
||||
|
||||
dev_list_sysfs(mysqld_safe_t)
|
||||
|
||||
files_read_etc_files(mysqld_safe_t)
|
||||
files_read_usr_files(mysqld_safe_t)
|
||||
|
||||
corecmd_exec_bin(mysqld_safe_t)
|
||||
|
||||
hostname_exec(mysqld_safe_t)
|
||||
|
||||
miscfiles_read_localization(mysqld_safe_t)
|
||||
|
Loading…
Reference in New Issue
Block a user