Thanks Thomas,Dominick,Daniel.

Creating a custom policy looks easier than generating new user
type. Compiled above .te file and now mysql connects from guest_u
domain! didn't expect it to be this simple  :D 

One more question, what's the usage of 'optional_policy' in above
te file?
   
--
----
Cheers,
Lakshmipathi.G
FOSS Programmer.
www.giis.co.in

On Tue, Feb 5, 2013 at 8:09 PM, Daniel J Walsh <dwalsh@redhat.com> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/05/2013 09:06 AM, Dominick Grift wrote:
> A. On Tue, 2013-02-05 at 08:31 -0500, Daniel J Walsh wrote:
>> On 02/05/2013 08:27 AM, Daniel J Walsh wrote:
>>> On 02/04/2013 09:53 PM, Lakshmipathi.G wrote:
>>>> Hi - I have  a restricted account with guest_u.How to provide mysql
>>>> access to guest_u without breaking other services?
>>>
>>>> I tried "setsebool -P allow_user_mysql_connect 1"
>>>
>>>> Still it says - ERROR 2002 (HY000): Can't connect to local MySQL
>>>> server through socket '/var/lib/mysql/mysql.sock' (13)
>>>
>>>
>>>> Thanks for help.
>>>
>>>
>>>
>>>> -- ---- Cheers, Lakshmipathi.G FOSS Programmer. www.giis.co.in
>>>> <http://www.giis.co.in>
>>>
>>>
>>>> -- selinux mailing list selinux@lists.fedoraproject.org
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>
>>> I would add a custom policy module
>>>
>>> policy_module(myguest, 1.0)
>>>
>>> gen_require(` type guest_t; ')
>>>
>>> mysql_stream_connect(guest_t) -- selinux mailing list
>>> selinux@lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>
>>
>> I guess Dominic beat me to it.  Currently the allow_user booleans do not
>> effect
>>
>> guest_u or xguest_u, because I want them as locked down as possible.
>
> The question is where to put the threshold
>
> I recently revisited creating a restricted ssh login user from scratch:
>
> https://84.245.5.136/wordpress/create-a-restricted-openssh-login-user-with-selinux/
>
>  some stats:
>
> Me (source): sesearch -ASCT -s myrole_t | grep Found Found 59 semantic av
> rules: Found 4 semantic te rules:
>
> Fedora (source): sesearch -ASCT -s guest_t | grep Found Found 620 semantic
> av rules: Found 38 semantic te rules: Found 82 named file transition
> filename_trans:
>
> me (target): sesearch -ASCT -t myrole_t | grep Found Found 30 semantic av
> rules:
>
> Fedora (target): sesearch -ASCT -t guest_t | grep Found Found 909 semantic
> av rules:
>
> Granted, my policy is probably too locked down as is in many ways. But it
> is easier to extend a policy than it is to remove rules from a policy imho
>
>> The way to adjust their policy is through custom policy rules, or you
>> could generate a new user type using sepolicy generate
>> (selinux-polgengui) guest_mysql_u. -- selinux mailing list
>> selinux@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
> -- selinux mailing list selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
I agree and it would probably be worth investigating what to remove from
guest_u.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlERGawACgkQrlYvE4MpobN3fgCgirGIWP3MimyHNA/fJY7bWE+g
7yoAn168hK0eWJRo3wssN9sPf2lw41bp
=dncE
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux