On Thu, 27 May 2004 02:26, Valdis.Kletnieks(a)vt.edu wrote:
On Wed, 26 May 2004 14:17:40 +1000, Russell Coker said:
> How should we determine who gets mysql client access? Should we have a
> tunable determining whether we allow userdomain?
That might be a good solution..
OK, I've attached a sample policy file to allow this. I put it in mysqld.te
because it goes easiest there. One advantage of doing it this way is that it
makes the policy simpler, another is that if an administrator wants to change
the policy to allow only dba_t instead of all of userdomain then it's a much
easier change for them.
On Thu, 27 May 2004 02:31, Stephen Smalley <sds(a)epoch.ncsc.mil> wrote:
Is the client program setgid or setuid presently to give it more
access? If so, then a separate domain is reasonable. Regardless, there
is a potential advantage in limiting access to the client program, e.g.
you can ensure that only well-formed messages constructed by the client
program are sent on that socket as opposed to arbitrary data from the
user. Naturally, it all depends on what you are trying to protect and
what threats you want to counter.
The client program is not setgid or setuid, it has no special access and
merely implements the protocol.
Regarding well-formed messages, given that the authors of the client program
apparently did not design it to be run as a trusted program I don't have any
great expectations of it's ability to prevent itself from being exploited.
This combined with the difficulties of a separate domain (redirection of
stdin/stdout not working as expected etc) makes me believe that it's not
worth trying such things at this stage.
Maybe at a future time if the MySql developers want to add SE Linux support to
their database server we could do such things along the way.
PS There's a lot of other MySql work that needs to be done to make it work on
Fedora. A quick test has revealed to me that installing it in enforcing mode
does not work well.
My NSA Security Enhanced Linux packages
Bonnie++ hard drive benchmark
Postal SMTP/POP benchmark
My home page