From: dominick.grift@gmail.com (Dominick Grift) Date: Wed, 31 Oct 2012 23:33:07 +0100 Subject: [refpolicy] [PATCH 2/2] Support initial creation of mysql database files In-Reply-To: <1351718308-26009-3-git-send-email-sven.vermeulen@siphos.be> References: <1351718308-26009-1-git-send-email-sven.vermeulen@siphos.be> <1351718308-26009-3-git-send-email-sven.vermeulen@siphos.be> Message-ID: <1351722787.4200.33.camel@d30.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, 2012-10-31 at 22:18 +0100, Sven Vermeulen wrote: > The first thing a MySQL administrator has to do is to create the database > (files) themselves. This is done through the mysql_install_db command. However, > this command invokes mysqld to properly setup the environment. > > This allow the calling domain of the administrator to execute (without > transitioning) the mysqld_exec_t resources (such as mysqld). > > Without this, the installation fails with: > > FATAL ERROR: Could not find /usr/sbin/mysqld > > Signed-off-by: Sven Vermeulen > --- > mysql.if | 4 +++- > 1 files changed, 3 insertions(+), 1 deletions(-) > > diff --git a/mysql.if b/mysql.if > index 55249ff..7a80171 100644 > --- a/mysql.if > +++ b/mysql.if > @@ -416,7 +416,7 @@ interface(`mysql_search_pid_files',` > # > interface(`mysql_admin',` > gen_require(` > - type mysqld_t, mysqld_var_run_t, mysqld_etc_t; > + type mysqld_t, mysqld_var_run_t, mysqld_etc_t, mysqld_exec_t; > type mysqld_tmp_t, mysqld_db_t, mysqld_log_t; > type mysqld_safe_t, mysqlmanagerd_t, mysqlmanagerd_var_run_t; > type mysqld_initrc_exec_t, mysqlmanagerd_initrc_exec_t; > @@ -430,6 +430,8 @@ interface(`mysql_admin',` > role_transition $2 { mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t } system_r; > allow $2 system_r; > > + can_exec($1, mysqld_exec_t) > + > files_search_pids($1) > admin_pattern($1, { mysqlmanagerd_var_run_t mysqld_var_run_t }) > You tested this with userdom_base_user_template(dbadm) or with sysadm_r? I think we may need a mysql_run_mysqld instead? For how i merged this though, thanks