provide mysql access to guest_u
Daniel J Walsh
dwalsh at redhat.com
Tue Feb 5 14:39:40 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/05/2013 09:06 AM, Dominick Grift wrote:
> A. On Tue, 2013-02-05 at 08:31 -0500, Daniel J Walsh wrote:
>> On 02/05/2013 08:27 AM, Daniel J Walsh wrote:
>>> On 02/04/2013 09:53 PM, Lakshmipathi.G wrote:
>>>> Hi - I have a restricted account with guest_u.How to provide mysql
>>>> access to guest_u without breaking other services?
>>>
>>>> I tried "setsebool -P allow_user_mysql_connect 1"
>>>
>>>> Still it says - ERROR 2002 (HY000): Can't connect to local MySQL
>>>> server through socket '/var/lib/mysql/mysql.sock' (13)
>>>
>>>
>>>> Thanks for help.
>>>
>>>
>>>
>>>> -- ---- Cheers, Lakshmipathi.G FOSS Programmer. www.giis.co.in
>>>> <http://www.giis.co.in>
>>>
>>>
>>>> -- selinux mailing list selinux at lists.fedoraproject.org
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>
>>> I would add a custom policy module
>>>
>>> policy_module(myguest, 1.0)
>>>
>>> gen_require(` type guest_t; ')
>>>
>>> mysql_stream_connect(guest_t) -- selinux mailing list
>>> selinux at lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>
>>
>> I guess Dominic beat me to it. Currently the allow_user booleans do not
>> effect
>>
>> guest_u or xguest_u, because I want them as locked down as possible.
>
> The question is where to put the threshold
>
> I recently revisited creating a restricted ssh login user from scratch:
>
> https://84.245.5.136/wordpress/create-a-restricted-openssh-login-user-with-selinux/
>
> some stats:
>
> Me (source): sesearch -ASCT -s myrole_t | grep Found Found 59 semantic av
> rules: Found 4 semantic te rules:
>
> Fedora (source): sesearch -ASCT -s guest_t | grep Found Found 620 semantic
> av rules: Found 38 semantic te rules: Found 82 named file transition
> filename_trans:
>
> me (target): sesearch -ASCT -t myrole_t | grep Found Found 30 semantic av
> rules:
>
> Fedora (target): sesearch -ASCT -t guest_t | grep Found Found 909 semantic
> av rules:
>
> Granted, my policy is probably too locked down as is in many ways. But it
> is easier to extend a policy than it is to remove rules from a policy imho
>
>> The way to adjust their policy is through custom policy rules, or you
>> could generate a new user type using sepolicy generate
>> (selinux-polgengui) guest_mysql_u. -- selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
> -- selinux mailing list selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
I agree and it would probably be worth investigating what to remove from
guest_u.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlERGawACgkQrlYvE4MpobN3fgCgirGIWP3MimyHNA/fJY7bWE+g
7yoAn168hK0eWJRo3wssN9sPf2lw41bp
=dncE
-----END PGP SIGNATURE-----
More information about the selinux
mailing list