From: gizmo@giz-works.com (Chris Richards) Date: Mon, 22 Feb 2010 08:27:24 +0000 Subject: [refpolicy] [PATCH 1/1] Add MySQL Manager policy to MySQL policy module Message-ID: <1266827244-5329-1-git-send-email-gizmo@giz-works.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Signed-off-by: Chris Richards Lots and lots of help from Christopher PeBenito and Dominick Grift --- policy/modules/kernel/corenetwork.te.in | 1 + policy/modules/services/mysql.fc | 5 +++ policy/modules/services/mysql.if | 20 ++++++++++ policy/modules/services/mysql.te | 59 +++++++++++++++++++++++++++++++ 4 files changed, 85 insertions(+), 0 deletions(-) diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in index e29bde8..1ee18ee 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -139,6 +139,7 @@ network_port(msnp, tcp,1863,s0, udp,1863,s0) network_port(munin, tcp,4949,s0, udp,4949,s0) network_port(mysqld, tcp,1186,s0, tcp,3306,s0) portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0) +network_port(mysqlmanagerd, tcp,2273,s0) network_port(nessus, tcp,1241,s0) network_port(netsupport, tcp,5405,s0, udp,5405,s0) network_port(nmbd, udp,137,s0, udp,138,s0) diff --git a/policy/modules/services/mysql.fc b/policy/modules/services/mysql.fc index 03db93a..f59c8d5 100644 --- a/policy/modules/services/mysql.fc +++ b/policy/modules/services/mysql.fc @@ -6,6 +6,7 @@ /etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0) /etc/mysql(/.*)? gen_context(system_u:object_r:mysqld_etc_t,s0) /etc/rc\.d/init\.d/mysqld -- gen_context(system_u:object_r:mysqld_initrc_exec_t,s0) +/etc/rc\.d/init\.d/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_initrc_exec_t,s0) # # /usr @@ -16,6 +17,8 @@ /usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0) +/usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0) + # # /var # @@ -25,3 +28,5 @@ /var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0) /var/run/mysqld(/.*)? gen_context(system_u:object_r:mysqld_var_run_t,s0) + +/var/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0) diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if index 3f6833d..a5e70e2 100644 --- a/policy/modules/services/mysql.if +++ b/policy/modules/services/mysql.if @@ -239,6 +239,26 @@ interface(`mysql_write_log',` ##################################### ## +## Read MySQL PID files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`mysql_read_pid_files',` + gen_require(` + type mysqld_var_run_t; + ') + + mysql_search_pid_files($1) + read_files_pattern($1, mysqld_var_run_t, mysqld_var_run_t) +') + +##################################### +## ## Search MySQL PID files. ## ## diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te index d42ffa3..9793e8e 100644 --- a/policy/modules/services/mysql.te +++ b/policy/modules/services/mysql.te @@ -34,6 +34,21 @@ files_tmp_file(mysqld_tmp_t) ######################################## # +# MySQL Manager Declarations +# + +type mysqlmanagerd_t; +type mysqlmanagerd_exec_t; +init_daemon_domain(mysqlmanagerd_t, mysqlmanagerd_exec_t) + +type mysqlmanagerd_var_run_t; +files_pid_file(mysqlmanagerd_var_run_t) + +type mysqlmanagerd_initrc_exec_t; +init_script_file(mysqlmanagerd_initrc_exec_t) + +######################################## +# # Local policy # @@ -84,6 +99,7 @@ corenet_sendrecv_mysqld_client_packets(mysqld_t) corenet_sendrecv_mysqld_server_packets(mysqld_t) dev_read_sysfs(mysqld_t) +dev_read_urand(mysqld_t) fs_getattr_all_fs(mysqld_t) fs_search_auto_mountpoints(mysqld_t) @@ -161,3 +177,46 @@ mysql_manage_db_files(mysqld_safe_t) mysql_read_config(mysqld_safe_t) mysql_search_pid_files(mysqld_safe_t) mysql_write_log(mysqld_safe_t) + +######################################## +# +# MySQL Manager Policy +# +domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t) +filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file }) +getattr_dirs_pattern(mysqlmanagerd_t, user_home_dir_t, user_home_t) +corecmd_exec_shell(mysqlmanagerd_t) + +dev_read_urand(mysqlmanagerd_t) +allow initrc_t mysqld_etc_t:file read; +mysql_read_config(mysqlmanagerd_t) +files_read_etc_files(mysqlmanagerd_t) +miscfiles_read_localization(mysqlmanagerd_t) +kernel_read_system_state(mysqlmanagerd_t) +files_read_usr_files(mysqlmanagerd_t) + +allow mysqlmanagerd_t self:capability { dac_override kill }; +allow mysqlmanagerd_t self:process signal; +mysql_signal(mysqlmanagerd_t) +mysql_stream_connect(mysqlmanagerd_t) + +manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) +mysql_read_pid_files(mysqlmanagerd_t) +mysql_search_db(mysqlmanagerd_t) + +allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms; +allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms; +allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms; +manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) + +corenet_all_recvfrom_unlabeled(mysqlmanagerd_t) +corenet_all_recvfrom_netlabel(mysqlmanagerd_t) +corenet_tcp_sendrecv_generic_if(mysqlmanagerd_t) +corenet_tcp_sendrecv_generic_node(mysqlmanagerd_t) +corenet_tcp_sendrecv_all_ports(mysqlmanagerd_t) +corenet_tcp_bind_generic_node(mysqlmanagerd_t) +corenet_tcp_bind_mysqlmanagerd_port(mysqlmanagerd_t) +corenet_tcp_connect_mysqlmanagerd_port(mysqlmanagerd_t) +corenet_sendrecv_mysqlmanagerd_server_packets(mysqlmanagerd_var_run_t) +corenet_sendrecv_mysqlmanagerd_client_packets(mysqlmanagerd_var_run_t) + -- 1.6.4.4