-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/05/2013 09:06 AM, Dominick Grift wrote:
A. On Tue, 2013-02-05 at 08:31 -0500, Daniel J Walsh wrote:
> On 02/05/2013 08:27 AM, Daniel J Walsh wrote:
>> On 02/04/2013 09:53 PM, Lakshmipathi.G wrote:
>>> Hi - I have a restricted account with guest_u.How to provide mysql
>>> access to guest_u without breaking other services?
>>
>>> I tried "setsebool -P allow_user_mysql_connect 1"
>>
>>> Still it says - ERROR 2002 (HY000): Can't connect to local MySQL
>>> server through socket '/var/lib/mysql/mysql.sock' (13)
>>
>>
>>> Thanks for help.
>>
>>
>>
>>> -- ---- Cheers, Lakshmipathi.G FOSS Programmer.
www.giis.co.in
>>> <
http://www.giis.co.in>
>>
>>
>>> -- selinux mailing list selinux(a)lists.fedoraproject.org
>>>
https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>> I would add a custom policy module
>>
>> policy_module(myguest, 1.0)
>>
>> gen_require(` type guest_t; ')
>>
>> mysql_stream_connect(guest_t) -- selinux mailing list
>> selinux(a)lists.fedoraproject.org
>>
https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>
> I guess Dominic beat me to it. Currently the allow_user booleans do not
> effect
>
> guest_u or xguest_u, because I want them as locked down as possible.
The question is where to put the threshold
I recently revisited creating a restricted ssh login user from scratch:
https://84.245.5.136/wordpress/create-a-restricted-openssh-login-user-wit...
some stats:
Me (source): sesearch -ASCT -s myrole_t | grep Found Found 59 semantic av
rules: Found 4 semantic te rules:
Fedora (source): sesearch -ASCT -s guest_t | grep Found Found 620 semantic
av rules: Found 38 semantic te rules: Found 82 named file transition
filename_trans:
me (target): sesearch -ASCT -t myrole_t | grep Found Found 30 semantic av
rules:
Fedora (target): sesearch -ASCT -t guest_t | grep Found Found 909 semantic
av rules:
Granted, my policy is probably too locked down as is in many ways. But it
is easier to extend a policy than it is to remove rules from a policy imho
> The way to adjust their policy is through custom policy rules, or you
> could generate a new user type using sepolicy generate
> (selinux-polgengui) guest_mysql_u. -- selinux mailing list
> selinux(a)lists.fedoraproject.org
>
https://admin.fedoraproject.org/mailman/listinfo/selinux
-- selinux mailing list selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
I agree and it would probably be worth investigating what to remove from
guest_u.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird -
http://www.enigmail.net/
iEYEARECAAYFAlERGawACgkQrlYvE4MpobN3fgCgirGIWP3MimyHNA/fJY7bWE+g
7yoAn168hK0eWJRo3wssN9sPf2lw41bp
=dncE
-----END PGP SIGNATURE-----