mysql policy from Dan Walsh

My changes to patch:
A couple changes to match style.
Removed files_dontaudit_search_all_mountpoints(mysqld_safe_t), it doesn't exist in refpolicy
This commit is contained in:
Jeremy Solt 2010-03-11 13:19:55 -05:00 committed by Chris PeBenito
parent 2f0e3a4e7e
commit 12a6a53f63
2 changed files with 62 additions and 5 deletions

View File

@ -1,5 +1,43 @@
## <summary>Policy for MySQL</summary>
######################################
## <summary>
## Execute MySQL in the mysql domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`mysql_domtrans',`
gen_require(`
type mysqld_t, mysqld_exec_t;
')
domtrans_pattern($1,mysqld_exec_t,mysqld_t)
')
######################################
## <summary>
## Execute MySQL server in the mysql domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`mysql_domtrans_mysql_safe',`
gen_require(`
type mysqld_safe_t, mysqld_safe_exec_t;
')
domtrans_pattern($1,mysqld_safe_exec_t, mysqld_safe_t)
')
########################################
## <summary>
## Send a generic signal to MySQL.

View File

@ -6,6 +6,13 @@ policy_module(mysql, 1.11.2)
# Declarations
#
## <desc>
## <p>
## Allow mysqld to connect to all ports
## </p>
## </desc>
gen_tunable(mysql_connect_any, false)
type mysqld_t;
type mysqld_exec_t;
init_daemon_domain(mysqld_t, mysqld_exec_t)
@ -47,7 +54,7 @@ files_pid_file(mysqlmanagerd_var_run_t)
# Local policy
#
allow mysqld_t self:capability { dac_override setgid setuid sys_resource net_bind_service };
allow mysqld_t self:capability { dac_override ipc_lock setgid setuid sys_resource net_bind_service };
dontaudit mysqld_t self:capability sys_tty_config;
allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
allow mysqld_t self:fifo_file rw_fifo_file_perms;
@ -125,6 +132,11 @@ ifdef(`distro_redhat',`
type_transition mysqld_t mysqld_db_t:sock_file mysqld_var_run_t;
')
tunable_policy(`mysql_connect_any',`
corenet_tcp_connect_all_ports(mysqld_t)
corenet_sendrecv_all_client_packets(mysqld_t)
')
optional_policy(`
daemontools_service_domain(mysqld_t, mysqld_exec_t)
')
@ -142,28 +154,35 @@ optional_policy(`
# Local mysqld_safe policy
#
allow mysqld_safe_t self:capability { dac_override fowner chown };
allow mysqld_safe_t self:capability { chown dac_override fowner kill };
dontaudit mysqld_safe_t self:capability sys_ptrace;
allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
allow mysqld_safe_t mysqld_log_t:file manage_file_perms;
allow mysqld_safe_t mysqld_var_run_t:sock_file unlink;
manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
delete_sock_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
domain_read_all_domains_state(mysqld_safe_t)
files_dontaudit_getattr_all_dirs(mysqld_safe_t)
logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
kernel_read_system_state(mysqld_safe_t)
kernel_read_kernel_sysctls(mysqld_safe_t)
corecmd_exec_bin(mysqld_safe_t)
dev_list_sysfs(mysqld_safe_t)
files_read_etc_files(mysqld_safe_t)
files_read_usr_files(mysqld_safe_t)
corecmd_exec_bin(mysqld_safe_t)
hostname_exec(mysqld_safe_t)
miscfiles_read_localization(mysqld_safe_t)