Signed-off-by: Chris Richards <[email protected]>
Lots and lots of help from Christopher PeBenito and Dominick Grift
---
policy/modules/kernel/corenetwork.te.in | 1 +
policy/modules/services/mysql.fc | 5 +++
policy/modules/services/mysql.if | 20 ++++++++++
policy/modules/services/mysql.te | 59 +++++++++++++++++++++++++++++++
4 files changed, 85 insertions(+), 0 deletions(-)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index e29bde8..1ee18ee 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -139,6 +139,7 @@ network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(munin, tcp,4949,s0, udp,4949,s0)
network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
+network_port(mysqlmanagerd, tcp,2273,s0)
network_port(nessus, tcp,1241,s0)
network_port(netsupport, tcp,5405,s0, udp,5405,s0)
network_port(nmbd, udp,137,s0, udp,138,s0)
diff --git a/policy/modules/services/mysql.fc b/policy/modules/services/mysql.fc
index 03db93a..f59c8d5 100644
--- a/policy/modules/services/mysql.fc
+++ b/policy/modules/services/mysql.fc
@@ -6,6 +6,7 @@
/etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0)
/etc/mysql(/.*)? gen_context(system_u:object_r:mysqld_etc_t,s0)
/etc/rc\.d/init\.d/mysqld -- gen_context(system_u:object_r:mysqld_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_initrc_exec_t,s0)
#
# /usr
@@ -16,6 +17,8 @@
/usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0)
+/usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0)
+
#
# /var
#
@@ -25,3 +28,5 @@
/var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0)
/var/run/mysqld(/.*)? gen_context(system_u:object_r:mysqld_var_run_t,s0)
+
+/var/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0)
diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if
index 3f6833d..a5e70e2 100644
--- a/policy/modules/services/mysql.if
+++ b/policy/modules/services/mysql.if
@@ -239,6 +239,26 @@ interface(`mysql_write_log',`
#####################################
## <summary>
+## Read MySQL PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+##
+#
+interface(`mysql_read_pid_files',`
+ gen_require(`
+ type mysqld_var_run_t;
+ ')
+
+ mysql_search_pid_files($1)
+ read_files_pattern($1, mysqld_var_run_t, mysqld_var_run_t)
+')
+
+#####################################
+## <summary>
## Search MySQL PID files.
## </summary>
## <param name="domain">
diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
index d42ffa3..9793e8e 100644
--- a/policy/modules/services/mysql.te
+++ b/policy/modules/services/mysql.te
@@ -34,6 +34,21 @@ files_tmp_file(mysqld_tmp_t)
########################################
#
+# MySQL Manager Declarations
+#
+
+type mysqlmanagerd_t;
+type mysqlmanagerd_exec_t;
+init_daemon_domain(mysqlmanagerd_t, mysqlmanagerd_exec_t)
+
+type mysqlmanagerd_var_run_t;
+files_pid_file(mysqlmanagerd_var_run_t)
+
+type mysqlmanagerd_initrc_exec_t;
+init_script_file(mysqlmanagerd_initrc_exec_t)
+
+########################################
+#
# Local policy
#
@@ -84,6 +99,7 @@ corenet_sendrecv_mysqld_client_packets(mysqld_t)
corenet_sendrecv_mysqld_server_packets(mysqld_t)
dev_read_sysfs(mysqld_t)
+dev_read_urand(mysqld_t)
fs_getattr_all_fs(mysqld_t)
fs_search_auto_mountpoints(mysqld_t)
@@ -161,3 +177,46 @@ mysql_manage_db_files(mysqld_safe_t)
mysql_read_config(mysqld_safe_t)
mysql_search_pid_files(mysqld_safe_t)
mysql_write_log(mysqld_safe_t)
+
+########################################
+#
+# MySQL Manager Policy
+#
+domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
+filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
+getattr_dirs_pattern(mysqlmanagerd_t, user_home_dir_t, user_home_t)
+corecmd_exec_shell(mysqlmanagerd_t)
+
+dev_read_urand(mysqlmanagerd_t)
+allow initrc_t mysqld_etc_t:file read;
+mysql_read_config(mysqlmanagerd_t)
+files_read_etc_files(mysqlmanagerd_t)
+miscfiles_read_localization(mysqlmanagerd_t)
+kernel_read_system_state(mysqlmanagerd_t)
+files_read_usr_files(mysqlmanagerd_t)
+
+allow mysqlmanagerd_t self:capability { dac_override kill };
+allow mysqlmanagerd_t self:process signal;
+mysql_signal(mysqlmanagerd_t)
+mysql_stream_connect(mysqlmanagerd_t)
+
+manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
+mysql_read_pid_files(mysqlmanagerd_t)
+mysql_search_db(mysqlmanagerd_t)
+
+allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
+allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms;
+allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms;
+manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
+
+corenet_all_recvfrom_unlabeled(mysqlmanagerd_t)
+corenet_all_recvfrom_netlabel(mysqlmanagerd_t)
+corenet_tcp_sendrecv_generic_if(mysqlmanagerd_t)
+corenet_tcp_sendrecv_generic_node(mysqlmanagerd_t)
+corenet_tcp_sendrecv_all_ports(mysqlmanagerd_t)
+corenet_tcp_bind_generic_node(mysqlmanagerd_t)
+corenet_tcp_bind_mysqlmanagerd_port(mysqlmanagerd_t)
+corenet_tcp_connect_mysqlmanagerd_port(mysqlmanagerd_t)
+corenet_sendrecv_mysqlmanagerd_server_packets(mysqlmanagerd_var_run_t)
+corenet_sendrecv_mysqlmanagerd_client_packets(mysqlmanagerd_var_run_t)
+
--
1.6.4.4
On Mon, 2010-02-22 at 08:27 +0000, Chris Richards wrote:
> Signed-off-by: Chris Richards <[email protected]>
> Lots and lots of help from Christopher PeBenito and Dominick Grift
Comments inline.
> ---
> policy/modules/kernel/corenetwork.te.in | 1 +
> policy/modules/services/mysql.fc | 5 +++
> policy/modules/services/mysql.if | 20 ++++++++++
> policy/modules/services/mysql.te | 59 +++++++++++++++++++++++++++++++
> 4 files changed, 85 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
> index e29bde8..1ee18ee 100644
> --- a/policy/modules/kernel/corenetwork.te.in
> +++ b/policy/modules/kernel/corenetwork.te.in
> @@ -139,6 +139,7 @@ network_port(msnp, tcp,1863,s0, udp,1863,s0)
> network_port(munin, tcp,4949,s0, udp,4949,s0)
> network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
> portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
> +network_port(mysqlmanagerd, tcp,2273,s0)
> network_port(nessus, tcp,1241,s0)
> network_port(netsupport, tcp,5405,s0, udp,5405,s0)
> network_port(nmbd, udp,137,s0, udp,138,s0)
> diff --git a/policy/modules/services/mysql.fc b/policy/modules/services/mysql.fc
> index 03db93a..f59c8d5 100644
> --- a/policy/modules/services/mysql.fc
> +++ b/policy/modules/services/mysql.fc
> @@ -6,6 +6,7 @@
> /etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0)
> /etc/mysql(/.*)? gen_context(system_u:object_r:mysqld_etc_t,s0)
> /etc/rc\.d/init\.d/mysqld -- gen_context(system_u:object_r:mysqld_initrc_exec_t,s0)
> +/etc/rc\.d/init\.d/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_initrc_exec_t,s0)
>
> #
> # /usr
> @@ -16,6 +17,8 @@
>
> /usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0)
>
> +/usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0)
> +
> #
> # /var
> #
> @@ -25,3 +28,5 @@
> /var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0)
>
> /var/run/mysqld(/.*)? gen_context(system_u:object_r:mysqld_var_run_t,s0)
> +
> +/var/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0)
> diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if
> index 3f6833d..a5e70e2 100644
> --- a/policy/modules/services/mysql.if
> +++ b/policy/modules/services/mysql.if
> @@ -239,6 +239,26 @@ interface(`mysql_write_log',`
>
> #####################################
> ## <summary>
> +## Read MySQL PID files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +##
> +#
> +interface(`mysql_read_pid_files',`
> + gen_require(`
> + type mysqld_var_run_t;
> + ')
> +
> + mysql_search_pid_files($1)
> + read_files_pattern($1, mysqld_var_run_t, mysqld_var_run_t)
> +')
> +
> +#####################################
> +## <summary>
> ## Search MySQL PID files.
> ## </summary>
> ## <param name="domain">
> diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
> index d42ffa3..9793e8e 100644
> --- a/policy/modules/services/mysql.te
> +++ b/policy/modules/services/mysql.te
> @@ -34,6 +34,21 @@ files_tmp_file(mysqld_tmp_t)
>
> ########################################
> #
> +# MySQL Manager Declarations
> +#
> +
> +type mysqlmanagerd_t;
> +type mysqlmanagerd_exec_t;
> +init_daemon_domain(mysqlmanagerd_t, mysqlmanagerd_exec_t)
> +
> +type mysqlmanagerd_var_run_t;
> +files_pid_file(mysqlmanagerd_var_run_t)
> +
> +type mysqlmanagerd_initrc_exec_t;
> +init_script_file(mysqlmanagerd_initrc_exec_t)
> +
> +########################################
> +#
> # Local policy
> #
>
> @@ -84,6 +99,7 @@ corenet_sendrecv_mysqld_client_packets(mysqld_t)
> corenet_sendrecv_mysqld_server_packets(mysqld_t)
>
> dev_read_sysfs(mysqld_t)
> +dev_read_urand(mysqld_t)
>
> fs_getattr_all_fs(mysqld_t)
> fs_search_auto_mountpoints(mysqld_t)
> @@ -161,3 +177,46 @@ mysql_manage_db_files(mysqld_safe_t)
> mysql_read_config(mysqld_safe_t)
> mysql_search_pid_files(mysqld_safe_t)
> mysql_write_log(mysqld_safe_t)
> +
> +########################################
> +#
> +# MySQL Manager Policy
> +#
> +domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
> +filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
> +getattr_dirs_pattern(mysqlmanagerd_t, user_home_dir_t, user_home_t)
You can't use user_home_dir_t nor user_home_t explicitly; use an
interface. Please rearrange all of the interfaces in this section to
follow the refpolicy organization.
http://oss.tresys.com/projects/refpolicy/wiki/StyleGuide#Localpolicyrules
> +corecmd_exec_shell(mysqlmanagerd_t)
> +
> +dev_read_urand(mysqlmanagerd_t)
> +allow initrc_t mysqld_etc_t:file read;
> +mysql_read_config(mysqlmanagerd_t)
> +files_read_etc_files(mysqlmanagerd_t)
> +miscfiles_read_localization(mysqlmanagerd_t)
> +kernel_read_system_state(mysqlmanagerd_t)
> +files_read_usr_files(mysqlmanagerd_t)
> +
> +allow mysqlmanagerd_t self:capability { dac_override kill };
> +allow mysqlmanagerd_t self:process signal;
> +mysql_signal(mysqlmanagerd_t)
> +mysql_stream_connect(mysqlmanagerd_t)
> +
> +manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
> +mysql_read_pid_files(mysqlmanagerd_t)
> +mysql_search_db(mysqlmanagerd_t)
> +
> +allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
> +allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms;
> +allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms;
> +manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
> +
> +corenet_all_recvfrom_unlabeled(mysqlmanagerd_t)
> +corenet_all_recvfrom_netlabel(mysqlmanagerd_t)
> +corenet_tcp_sendrecv_generic_if(mysqlmanagerd_t)
> +corenet_tcp_sendrecv_generic_node(mysqlmanagerd_t)
> +corenet_tcp_sendrecv_all_ports(mysqlmanagerd_t)
> +corenet_tcp_bind_generic_node(mysqlmanagerd_t)
> +corenet_tcp_bind_mysqlmanagerd_port(mysqlmanagerd_t)
> +corenet_tcp_connect_mysqlmanagerd_port(mysqlmanagerd_t)
> +corenet_sendrecv_mysqlmanagerd_server_packets(mysqlmanagerd_var_run_t)
> +corenet_sendrecv_mysqlmanagerd_client_packets(mysqlmanagerd_var_run_t)
> +
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150