#DESC Mysqld - Database server # # Author: Russell Coker <russell@coker.com.au> # X-Debian-Packages: mysql-server # ################################# # # Rules for the mysqld_t domain. # # mysqld_exec_t is the type of the mysqld executable. # daemon_domain(mysqld) type mysqld_port_t, port_type; allow mysqld_t mysqld_port_t:tcp_socket name_bind; allow mysqld_t mysqld_var_run_t:sock_file create_file_perms; etcdir_domain(mysqld) typealias mysqld_etc_t alias etc_mysqld_t; type mysqld_db_t, file_type, sysadmfile; log_domain(mysqld) # for temporary tables tmp_domain(mysqld) allow mysqld_t usr_t:file { getattr read }; allow mysqld_t self:fifo_file { read write }; allow mysqld_t self:unix_stream_socket create_stream_socket_perms; allow initrc_t mysqld_t:unix_stream_socket connectto; allow initrc_t mysqld_var_run_t:sock_file write; allow initrc_t mysqld_log_t:file { write append setattr ioctl }; allow mysqld_t self:capability { dac_override setgid setuid net_bind_service }; allow mysqld_t self:process getsched; allow mysqld_t proc_t:file { getattr read }; # Allow access to the mysqld databases create_dir_file(mysqld_t, mysqld_db_t) allow mysqld_t var_lib_t:dir { getattr search }; can_network_server(mysqld_t) can_ypbind(mysqld_t) # read config files r_dir_file(initrc_t, mysqld_etc_t) allow mysqld_t { etc_t etc_runtime_t }:{ file lnk_file } { read getattr }; allow mysqld_t etc_t:dir search; read_sysctl(mysqld_t) can_unix_connect(sysadm_t, mysqld_t) # for /root/.my.cnf - should not be needed allow mysqld_t sysadm_home_dir_t:dir search; allow mysqld_t sysadm_home_t:file { read getattr }; ifdef(`logrotate.te', ` r_dir_file(logrotate_t, mysqld_etc_t) allow logrotate_t mysqld_db_t:dir search; allow logrotate_t mysqld_var_run_t:dir search; allow logrotate_t mysqld_var_run_t:sock_file write; can_unix_connect(logrotate_t, mysqld_t) ') ifdef(`daemontools.te', ` domain_auto_trans( svc_run_t, mysqld_exec_t, mysqld_t) allow svc_start_t mysqld_t:process signal; svc_ipc_domain(mysqld_t) ')dnl end ifdef daemontools ifdef(`distro_redhat', ` allow initrc_t mysqld_db_t:dir create_dir_perms; # because Fedora has the sock_file in the database directory file_type_auto_trans(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file) ') ifdef(`targeted_policy', `', ` bool allow_user_mysql_connect false; if (allow_user_mysql_connect) { allow userdomain mysqld_var_run_t:dir search; allow userdomain mysqld_var_run_t:sock_file write; } ')