From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Tue, 23 Feb 2010 14:21:30 -0500 Subject: [refpolicy] [PATCH 1/1] Add MySQL Manager to MySQL policy module In-Reply-To: <1266901662-11534-1-git-send-email-gizmo@giz-works.com> References: <1266901662-11534-1-git-send-email-gizmo@giz-works.com> Message-ID: <1266952890.9127.42.camel@gorn> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, 2010-02-23 at 05:07 +0000, Chris Richards wrote: > Second submission to fix mistakes from first. Merged, with a couple minor tweaks. > Signed-off-by: Chris Richards > --- > policy/modules/kernel/corenetwork.te.in | 1 + > policy/modules/services/mysql.fc | 5 +++ > policy/modules/services/mysql.if | 20 +++++++++++ > policy/modules/services/mysql.te | 57 +++++++++++++++++++++++++++++++ > 4 files changed, 83 insertions(+), 0 deletions(-) > > diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in > index 91e0b1c..d00c76e 100644 > --- a/policy/modules/kernel/corenetwork.te.in > +++ b/policy/modules/kernel/corenetwork.te.in > @@ -140,6 +140,7 @@ network_port(msnp, tcp,1863,s0, udp,1863,s0) > network_port(munin, tcp,4949,s0, udp,4949,s0) > network_port(mysqld, tcp,1186,s0, tcp,3306,s0) > portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0) > +network_port(mysqlmanagerd, tcp,2273,s0) > network_port(nessus, tcp,1241,s0) > network_port(netsupport, tcp,5405,s0, udp,5405,s0) > network_port(nmbd, udp,137,s0, udp,138,s0) > diff --git a/policy/modules/services/mysql.fc b/policy/modules/services/mysql.fc > index 03db93a..f59c8d5 100644 > --- a/policy/modules/services/mysql.fc > +++ b/policy/modules/services/mysql.fc > @@ -6,6 +6,7 @@ > /etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0) > /etc/mysql(/.*)? gen_context(system_u:object_r:mysqld_etc_t,s0) > /etc/rc\.d/init\.d/mysqld -- gen_context(system_u:object_r:mysqld_initrc_exec_t,s0) > +/etc/rc\.d/init\.d/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_initrc_exec_t,s0) > > # > # /usr > @@ -16,6 +17,8 @@ > > /usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0) > > +/usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0) > + > # > # /var > # > @@ -25,3 +28,5 @@ > /var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0) > > /var/run/mysqld(/.*)? gen_context(system_u:object_r:mysqld_var_run_t,s0) > + > +/var/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0) > diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if > index 3f6833d..a5e70e2 100644 > --- a/policy/modules/services/mysql.if > +++ b/policy/modules/services/mysql.if > @@ -239,6 +239,26 @@ interface(`mysql_write_log',` > > ##################################### > ## > +## Read MySQL PID files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +# > +interface(`mysql_read_pid_files',` > + gen_require(` > + type mysqld_var_run_t; > + ') > + > + mysql_search_pid_files($1) > + read_files_pattern($1, mysqld_var_run_t, mysqld_var_run_t) > +') > + > +##################################### > +## > ## Search MySQL PID files. > ## > ## > diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te > index d42ffa3..a226060 100644 > --- a/policy/modules/services/mysql.te > +++ b/policy/modules/services/mysql.te > @@ -34,6 +34,21 @@ files_tmp_file(mysqld_tmp_t) > > ######################################## > # > +# MySQL Manager Declarations > +# > + > +type mysqlmanagerd_t; > +type mysqlmanagerd_exec_t; > +init_daemon_domain(mysqlmanagerd_t, mysqlmanagerd_exec_t) > + > +type mysqlmanagerd_initrc_exec_t; > +init_script_file(mysqlmanagerd_initrc_exec_t) > + > +type mysqlmanagerd_var_run_t; > +files_pid_file(mysqlmanagerd_var_run_t) > + > +######################################## > +# > # Local policy > # > > @@ -84,6 +99,7 @@ corenet_sendrecv_mysqld_client_packets(mysqld_t) > corenet_sendrecv_mysqld_server_packets(mysqld_t) > > dev_read_sysfs(mysqld_t) > +dev_read_urand(mysqld_t) > > fs_getattr_all_fs(mysqld_t) > fs_search_auto_mountpoints(mysqld_t) > @@ -161,3 +177,44 @@ mysql_manage_db_files(mysqld_safe_t) > mysql_read_config(mysqld_safe_t) > mysql_search_pid_files(mysqld_safe_t) > mysql_write_log(mysqld_safe_t) > + > +######################################## > +# > +# MySQL Manager Policy > +# > +allow mysqlmanagerd_t self:capability { dac_override kill }; > +allow mysqlmanagerd_t self:process signal; > +allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms; > +allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms; > +allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms; > + > +mysql_read_config(initrc_t) > +mysql_read_config(mysqlmanagerd_t) > +mysql_read_pid_files(mysqlmanagerd_t) > +mysql_search_db(mysqlmanagerd_t) > +mysql_signal(mysqlmanagerd_t) > +mysql_stream_connect(mysqlmanagerd_t) > + > +kernel_read_system_state(mysqlmanagerd_t) > +corecmd_exec_shell(mysqlmanagerd_t) > +corenet_all_recvfrom_unlabeled(mysqlmanagerd_t) > +corenet_all_recvfrom_netlabel(mysqlmanagerd_t) > +corenet_tcp_sendrecv_generic_if(mysqlmanagerd_t) > +corenet_tcp_sendrecv_generic_node(mysqlmanagerd_t) > +corenet_tcp_sendrecv_all_ports(mysqlmanagerd_t) > +corenet_tcp_bind_generic_node(mysqlmanagerd_t) > +corenet_tcp_bind_mysqlmanagerd_port(mysqlmanagerd_t) > +corenet_tcp_connect_mysqlmanagerd_port(mysqlmanagerd_t) > +corenet_sendrecv_mysqlmanagerd_server_packets(mysqlmanagerd_var_run_t) > +corenet_sendrecv_mysqlmanagerd_client_packets(mysqlmanagerd_var_run_t) > +dev_read_urand(mysqlmanagerd_t) > +files_read_etc_files(mysqlmanagerd_t) > +files_read_usr_files(mysqlmanagerd_t) > + > +miscfiles_read_localization(mysqlmanagerd_t) > +userdom_getattr_user_home_dirs(mysqlmanagerd_t) > + > +domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t) > +filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file }) > +manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) > +manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150