Thanks Thomas,Dominick,Daniel.<br><br>Creating a custom policy looks easier than generating new user <br>type. Compiled above .te file and now mysql connects from guest_u <br>domain! didn't expect it to be this simple :D <br>
<br>One more question, what's the usage of 'optional_policy' in above<br>te file? <br> <br>-- <br>----<br>Cheers,<br>Lakshmipathi.G<br>FOSS Programmer.<br><a href="http://www.giis.co.in" target="_blank">www.giis.co.in</a><br>
<br><div class="gmail_quote">On Tue, Feb 5, 2013 at 8:09 PM, Daniel J Walsh <span dir="ltr"><<a href="mailto:dwalsh@redhat.com" target="_blank">dwalsh@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
</div><div><div class="h5">On 02/05/2013 09:06 AM, Dominick Grift wrote:<br>
> A. On Tue, 2013-02-05 at 08:31 -0500, Daniel J Walsh wrote:<br>
>> On 02/05/2013 08:27 AM, Daniel J Walsh wrote:<br>
>>> On 02/04/2013 09:53 PM, Lakshmipathi.G wrote:<br>
>>>> Hi - I have a restricted account with guest_u.How to provide mysql<br>
>>>> access to guest_u without breaking other services?<br>
>>><br>
>>>> I tried "setsebool -P allow_user_mysql_connect 1"<br>
>>><br>
>>>> Still it says - ERROR 2002 (HY000): Can't connect to local MySQL<br>
>>>> server through socket '/var/lib/mysql/mysql.sock' (13)<br>
>>><br>
>>><br>
>>>> Thanks for help.<br>
>>><br>
>>><br>
>>><br>
>>>> -- ---- Cheers, Lakshmipathi.G FOSS Programmer. <a href="http://www.giis.co.in" target="_blank">www.giis.co.in</a><br>
>>>> <<a href="http://www.giis.co.in" target="_blank">http://www.giis.co.in</a>><br>
>>><br>
>>><br>
>>>> -- selinux mailing list <a href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a><br>
>>>> <a href="https://admin.fedoraproject.org/mailman/listinfo/selinux" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/selinux</a><br>
>>><br>
>>> I would add a custom policy module<br>
>>><br>
>>> policy_module(myguest, 1.0)<br>
>>><br>
>>> gen_require(` type guest_t; ')<br>
>>><br>
>>> mysql_stream_connect(guest_t) -- selinux mailing list<br>
>>> <a href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a><br>
>>> <a href="https://admin.fedoraproject.org/mailman/listinfo/selinux" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/selinux</a><br>
>>><br>
>><br>
>> I guess Dominic beat me to it. Currently the allow_user booleans do not<br>
>> effect<br>
>><br>
>> guest_u or xguest_u, because I want them as locked down as possible.<br>
><br>
> The question is where to put the threshold<br>
><br>
> I recently revisited creating a restricted ssh login user from scratch:<br>
><br>
> <a href="https://84.245.5.136/wordpress/create-a-restricted-openssh-login-user-with-selinux/" target="_blank">https://84.245.5.136/wordpress/create-a-restricted-openssh-login-user-with-selinux/</a><br>
><br>
> some stats:<br>
><br>
> Me (source): sesearch -ASCT -s myrole_t | grep Found Found 59 semantic av<br>
> rules: Found 4 semantic te rules:<br>
><br>
> Fedora (source): sesearch -ASCT -s guest_t | grep Found Found 620 semantic<br>
> av rules: Found 38 semantic te rules: Found 82 named file transition<br>
> filename_trans:<br>
><br>
> me (target): sesearch -ASCT -t myrole_t | grep Found Found 30 semantic av<br>
> rules:<br>
><br>
> Fedora (target): sesearch -ASCT -t guest_t | grep Found Found 909 semantic<br>
> av rules:<br>
><br>
> Granted, my policy is probably too locked down as is in many ways. But it<br>
> is easier to extend a policy than it is to remove rules from a policy imho<br>
><br>
>> The way to adjust their policy is through custom policy rules, or you<br>
>> could generate a new user type using sepolicy generate<br>
>> (selinux-polgengui) guest_mysql_u. -- selinux mailing list<br>
>> <a href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a><br>
>> <a href="https://admin.fedoraproject.org/mailman/listinfo/selinux" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/selinux</a><br>
><br>
><br>
> -- selinux mailing list <a href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a><br>
> <a href="https://admin.fedoraproject.org/mailman/listinfo/selinux" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/selinux</a><br>
><br>
</div></div>I agree and it would probably be worth investigating what to remove from<br>
guest_u.<br>
<div class="im"><br>
<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v1.4.13 (GNU/Linux)<br>
Comment: Using GnuPG with Thunderbird - <a href="http://www.enigmail.net/" target="_blank">http://www.enigmail.net/</a><br>
<br>
</div>iEYEARECAAYFAlERGawACgkQrlYvE4MpobN3fgCgirGIWP3MimyHNA/fJY7bWE+g<br>
7yoAn168hK0eWJRo3wssN9sPf2lw41bp<br>
=dncE<br>
-----END PGP SIGNATURE-----<br>
<div class="HOEnZb"><div class="h5">--<br>
selinux mailing list<br>
<a href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a><br>
<a href="https://admin.fedoraproject.org/mailman/listinfo/selinux" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/selinux</a></div></div></blockquote></div><br><br clear="all"><br><a href="http://www.giis.co.in" target="_blank"></a>