provide mysql access to guest_u
Lakshmipathi.G
lakshmipathi.g at gmail.com
Wed Feb 6 02:55:49 UTC 2013
Thanks Thomas,Dominick,Daniel.
Creating a custom policy looks easier than generating new user
type. Compiled above .te file and now mysql connects from guest_u
domain! didn't expect it to be this simple :D
One more question, what's the usage of 'optional_policy' in above
te file?
--
----
Cheers,
Lakshmipathi.G
FOSS Programmer.
www.giis.co.in
On Tue, Feb 5, 2013 at 8:09 PM, Daniel J Walsh <dwalsh at redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 02/05/2013 09:06 AM, Dominick Grift wrote:
> > A. On Tue, 2013-02-05 at 08:31 -0500, Daniel J Walsh wrote:
> >> On 02/05/2013 08:27 AM, Daniel J Walsh wrote:
> >>> On 02/04/2013 09:53 PM, Lakshmipathi.G wrote:
> >>>> Hi - I have a restricted account with guest_u.How to provide mysql
> >>>> access to guest_u without breaking other services?
> >>>
> >>>> I tried "setsebool -P allow_user_mysql_connect 1"
> >>>
> >>>> Still it says - ERROR 2002 (HY000): Can't connect to local MySQL
> >>>> server through socket '/var/lib/mysql/mysql.sock' (13)
> >>>
> >>>
> >>>> Thanks for help.
> >>>
> >>>
> >>>
> >>>> -- ---- Cheers, Lakshmipathi.G FOSS Programmer. www.giis.co.in
> >>>> <http://www.giis.co.in>
> >>>
> >>>
> >>>> -- selinux mailing list selinux at lists.fedoraproject.org
> >>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >>>
> >>> I would add a custom policy module
> >>>
> >>> policy_module(myguest, 1.0)
> >>>
> >>> gen_require(` type guest_t; ')
> >>>
> >>> mysql_stream_connect(guest_t) -- selinux mailing list
> >>> selinux at lists.fedoraproject.org
> >>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >>>
> >>
> >> I guess Dominic beat me to it. Currently the allow_user booleans do not
> >> effect
> >>
> >> guest_u or xguest_u, because I want them as locked down as possible.
> >
> > The question is where to put the threshold
> >
> > I recently revisited creating a restricted ssh login user from scratch:
> >
> >
> https://84.245.5.136/wordpress/create-a-restricted-openssh-login-user-with-selinux/
> >
> > some stats:
> >
> > Me (source): sesearch -ASCT -s myrole_t | grep Found Found 59 semantic av
> > rules: Found 4 semantic te rules:
> >
> > Fedora (source): sesearch -ASCT -s guest_t | grep Found Found 620
> semantic
> > av rules: Found 38 semantic te rules: Found 82 named file transition
> > filename_trans:
> >
> > me (target): sesearch -ASCT -t myrole_t | grep Found Found 30 semantic av
> > rules:
> >
> > Fedora (target): sesearch -ASCT -t guest_t | grep Found Found 909
> semantic
> > av rules:
> >
> > Granted, my policy is probably too locked down as is in many ways. But it
> > is easier to extend a policy than it is to remove rules from a policy
> imho
> >
> >> The way to adjust their policy is through custom policy rules, or you
> >> could generate a new user type using sepolicy generate
> >> (selinux-polgengui) guest_mysql_u. -- selinux mailing list
> >> selinux at lists.fedoraproject.org
> >> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >
> >
> > -- selinux mailing list selinux at lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
> >
> I agree and it would probably be worth investigating what to remove from
> guest_u.
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.13 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iEYEARECAAYFAlERGawACgkQrlYvE4MpobN3fgCgirGIWP3MimyHNA/fJY7bWE+g
> 7yoAn168hK0eWJRo3wssN9sPf2lw41bp
> =dncE
> -----END PGP SIGNATURE-----
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
<http://www.giis.co.in>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20130206/0f05f51d/attachment.html>
More information about the selinux
mailing list