provide mysql access to guest_u
Dominick Grift
dominick.grift at gmail.com
Tue Feb 5 14:06:05 UTC 2013
A. On Tue, 2013-02-05 at 08:31 -0500, Daniel J Walsh wrote:
> On 02/05/2013 08:27 AM, Daniel J Walsh wrote:
> > On 02/04/2013 09:53 PM, Lakshmipathi.G wrote:
> >> Hi - I have a restricted account with guest_u.How to provide mysql
> >> access to guest_u without breaking other services?
> >
> >> I tried "setsebool -P allow_user_mysql_connect 1"
> >
> >> Still it says - ERROR 2002 (HY000): Can't connect to local MySQL server
> >> through socket '/var/lib/mysql/mysql.sock' (13)
> >
> >
> >> Thanks for help.
> >
> >
> >
> >> -- ---- Cheers, Lakshmipathi.G FOSS Programmer. www.giis.co.in
> >> <http://www.giis.co.in>
> >
> >
> >> -- selinux mailing list selinux at lists.fedoraproject.org
> >> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >
> > I would add a custom policy module
> >
> > policy_module(myguest, 1.0)
> >
> > gen_require(` type guest_t; ')
> >
> > mysql_stream_connect(guest_t) -- selinux mailing list
> > selinux at lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
> >
>
> I guess Dominic beat me to it. Currently the allow_user booleans do not effect
>
> guest_u or xguest_u, because I want them as locked down as possible.
The question is where to put the threshold
I recently revisited creating a restricted ssh login user from scratch:
https://84.245.5.136/wordpress/create-a-restricted-openssh-login-user-with-selinux/
some stats:
Me (source):
sesearch -ASCT -s myrole_t | grep Found
Found 59 semantic av rules:
Found 4 semantic te rules:
Fedora (source):
sesearch -ASCT -s guest_t | grep Found
Found 620 semantic av rules:
Found 38 semantic te rules:
Found 82 named file transition filename_trans:
me (target):
sesearch -ASCT -t myrole_t | grep Found
Found 30 semantic av rules:
Fedora (target):
sesearch -ASCT -t guest_t | grep Found
Found 909 semantic av rules:
Granted, my policy is probably too locked down as is in many ways. But
it is easier to extend a policy than it is to remove rules from a policy
imho
> The way to adjust their policy is through custom policy rules, or you could
> generate a new user type using sepolicy generate (selinux-polgengui)
> guest_mysql_u.
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
More information about the selinux
mailing list