## Policy for MySQL ######################################## ## ## Send a generic signal to MySQL. ## ## ## Domain allowed access. ## # interface(`mysql_signal',` gen_require(` type mysqld_t; class process signal; ') allow $1 mysqld_t:process signal; ') ######################################## ## ## Connect to MySQL using a unix domain stream socket. ## ## ## Domain allowed access. ## # interface(`mysql_stream_connect',` gen_require(` type mysqld_t; class unix_stream_socket connectto; class dir search; class sock_file write; ') allow $1 mysqld_var_run_t:dir search; allow $1 mysqld_var_run_t:sock_file write; allow $1 mysqld_t:unix_stream_socket connectto; ') ######################################## ## ## Read MySQL configuration files. ## ## ## Domain allowed access. ## # interface(`mysql_read_config',` gen_require(` type mysqld_etc_t; class dir { getattr read search }; class file { read getattr }; class lnk_file { getattr read }; ') allow $1 mysqld_etc_t:dir { getattr read search }; allow $1 mysqld_etc_t:file { read getattr }; allow $1 mysqld_etc_t:lnk_file { getattr read }; ') ######################################## ## ## Search the directories that contain MySQL ## database storage. ## ## ## Domain allowed access. ## # # cjp: "_dir" in the name is added to clarify that this # is not searching the database itself. interface(`mysql_search_db_dir',` gen_require(` type mysqld_db_t; class dir search; ') files_search_var_lib($1) allow $1 mysqld_db_t:dir search; ') ######################################## ## ## Read and write to the MySQL database directory. ## ## ## Domain allowed access. ## # interface(`mysql_rw_db_dir',` gen_require(` type mysqld_db_t; class rw_dir_perms; ') files_search_var_lib($1) allow $1 mysqld_db_t:dir rw_dir_perms; ') ######################################## ## ## Create, read, write, and delete MySQL database directories. ## ## ## Domain allowed access. ## # interface(`mysql_manage_db_dir',` gen_require(` type mysql_db_t; class create_dir_perms; ') files_search_var_lib($1) allow $1 mysqld_db_t:dir create_dir_perms; ') ######################################## ## ## Write to the MySQL log. ## ## ## Domain allowed access. ## # interface(`mysql_write_log',` gen_require(` type mysqld_log_t; class file { write append setattr ioctl }; ') logging_search_logs($1) allow $1 mysqld_log_t:file { write append setattr ioctl }; ')