[selinux-policy: 2505/3172] mysql policy from Dan Walsh

Thu Oct 7 22:42:41 UTC 2010

commit 12a6a53f6398642e8c2a58ed6ba347029a15897b
Author: Jeremy Solt <jsolt at tresys.com>
Date:   Thu Mar 11 13:19:55 2010 -0500

    mysql policy from Dan Walsh
    
    My changes to patch:
    A couple changes to match style.
    Removed files_dontaudit_search_all_mountpoints(mysqld_safe_t), it doesn't exist in refpolicy

 policy/modules/services/mysql.if |   38 ++++++++++++++++++++++++++++++++++++++
 policy/modules/services/mysql.te |   29 ++++++++++++++++++++++++-----
 2 files changed, 62 insertions(+), 5 deletions(-)
---

diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if
index 7d70e4f..fc2b4d2 100644
--- a/policy/modules/services/mysql.if
+++ b/policy/modules/services/mysql.if
@@ -1,5 +1,43 @@
 ## <summary>Policy for MySQL</summary>
 
+######################################
+## <summary>
+##      Execute MySQL in the mysql domain.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`mysql_domtrans',`
+        gen_require(`
+                type mysqld_t, mysqld_exec_t;
+        ')
+
+        domtrans_pattern($1,mysqld_exec_t,mysqld_t)
+
+')
+
+######################################
+## <summary>
+##      Execute MySQL server in the mysql domain.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`mysql_domtrans_mysql_safe',`
+        gen_require(`
+                type mysqld_safe_t, mysqld_safe_exec_t;
+        ')
+
+        domtrans_pattern($1,mysqld_safe_exec_t, mysqld_safe_t)
+')
+
+
 ########################################
 ## <summary>
 ##	Send a generic signal to MySQL.
diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
index 28a7e50..83a6e70 100644
--- a/policy/modules/services/mysql.te
+++ b/policy/modules/services/mysql.te
@@ -6,6 +6,13 @@ policy_module(mysql, 1.11.2)
 # Declarations
 #
 
+## <desc>
+## <p>
+## Allow mysqld to connect to all ports
+## </p>
+## </desc>
+gen_tunable(mysql_connect_any, false)
+
 type mysqld_t;
 type mysqld_exec_t;
 init_daemon_domain(mysqld_t, mysqld_exec_t)
@@ -47,7 +54,7 @@ files_pid_file(mysqlmanagerd_var_run_t)
 # Local policy
 #
 
-allow mysqld_t self:capability { dac_override setgid setuid sys_resource net_bind_service };
+allow mysqld_t self:capability { dac_override ipc_lock setgid setuid sys_resource net_bind_service };
 dontaudit mysqld_t self:capability sys_tty_config;
 allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
 allow mysqld_t self:fifo_file rw_fifo_file_perms;
@@ -125,6 +132,11 @@ ifdef(`distro_redhat',`
 	type_transition mysqld_t mysqld_db_t:sock_file mysqld_var_run_t;
 ')
 
+tunable_policy(`mysql_connect_any',`
+	corenet_tcp_connect_all_ports(mysqld_t)
+	corenet_sendrecv_all_client_packets(mysqld_t)
+')
+
 optional_policy(`
 	daemontools_service_domain(mysqld_t, mysqld_exec_t)
 ')
@@ -142,28 +154,35 @@ optional_policy(`
 # Local mysqld_safe policy
 #
 
-allow mysqld_safe_t self:capability { dac_override fowner chown };
+allow mysqld_safe_t self:capability { chown dac_override fowner kill };
+dontaudit mysqld_safe_t self:capability sys_ptrace;
 allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
 
+read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
+
 domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
 
 allow mysqld_safe_t mysqld_log_t:file manage_file_perms;
 
-allow mysqld_safe_t mysqld_var_run_t:sock_file unlink;
+manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
+delete_sock_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
 
 domain_read_all_domains_state(mysqld_safe_t)
 
+files_dontaudit_getattr_all_dirs(mysqld_safe_t)
+
 logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
 
 kernel_read_system_state(mysqld_safe_t)
+kernel_read_kernel_sysctls(mysqld_safe_t)
+
+corecmd_exec_bin(mysqld_safe_t)
 
 dev_list_sysfs(mysqld_safe_t)
 
 files_read_etc_files(mysqld_safe_t)
 files_read_usr_files(mysqld_safe_t)
 
-corecmd_exec_bin(mysqld_safe_t)
-
 hostname_exec(mysqld_safe_t)
 
 miscfiles_read_localization(mysqld_safe_t)
