From: cgzones@googlemail.com (=?UTF-8?q?Christian=20G=C3=B6ttsche?=)
Date: Thu,  8 Jun 2017 19:16:58 +0200
Subject: [refpolicy] [PATCH 1/3] mysql: remove mysqlmanager policy
Message-ID: <20170608171700.27086-1-cgzones@googlemail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

From: cgzones <cgzones@googlemail.com>

mysqlmanager was removed by mysql 5.5
---
 mysql.fc |  5 -----
 mysql.if | 10 ++++------
 mysql.te | 62 --------------------------------------------------------------
 3 files changed, 4 insertions(+), 73 deletions(-)

diff --git a/mysql.fc b/mysql.fc
index 4afe8eba..50e7dba8 100644
--- a/mysql.fc
+++ b/mysql.fc
@@ -5,12 +5,10 @@ HOME_DIR/\.my\.cnf	--	gen_context(system_u:object_r:mysqld_home_t,s0)
 /etc/mysql(/.*)?	gen_context(system_u:object_r:mysqld_etc_t,s0)
 
 /etc/rc\.d/init\.d/mysqld?	--	gen_context(system_u:object_r:mysqld_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/mysqlmanager	--	gen_context(system_u:object_r:mysqlmanagerd_initrc_exec_t,s0)
 
 /usr/bin/mysqld(-max)?	--	gen_context(system_u:object_r:mysqld_exec_t,s0)
 /usr/bin/mysqld_safe	--	gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
 /usr/bin/mysql_upgrade	--	gen_context(system_u:object_r:mysqld_exec_t,s0)
-/usr/bin/mysqlmanager	--	gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0)
 /usr/bin/ndbd		--	gen_context(system_u:object_r:mysqld_exec_t,s0)
 
 /usr/lib/systemd/system/mysqld.*\.service -- gen_context(system_u:object_r:mysqld_unit_t,s0)
@@ -18,7 +16,6 @@ HOME_DIR/\.my\.cnf	--	gen_context(system_u:object_r:mysqld_home_t,s0)
 /usr/libexec/mysqld	--	gen_context(system_u:object_r:mysqld_exec_t,s0)
 
 /usr/sbin/mysqld(-max)?	--	gen_context(system_u:object_r:mysqld_exec_t,s0)
-/usr/sbin/mysqlmanager	--	gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0)
 /usr/sbin/ndbd	--	gen_context(system_u:object_r:mysqld_exec_t,s0)
 
 /var/lib/mysql(/.*)?	gen_context(system_u:object_r:mysqld_db_t,s0)
@@ -28,5 +25,3 @@ HOME_DIR/\.my\.cnf	--	gen_context(system_u:object_r:mysqld_home_t,s0)
 /var/log/mysql.*	--	gen_context(system_u:object_r:mysqld_log_t,s0)
 
 /run/mysqld.*	gen_context(system_u:object_r:mysqld_var_run_t,s0)
-/run/mysqlmanager.*	--	gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0)
-/run/mysqld/mysqlmanager.*	--	gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0)
diff --git a/mysql.if b/mysql.if
index 83badcf6..1d30f6e0 100644
--- a/mysql.if
+++ b/mysql.if
@@ -443,18 +443,16 @@ interface(`mysql_admin',`
 	gen_require(`
 		type mysqld_t, mysqld_var_run_t, mysqld_etc_t;
 		type mysqld_tmp_t, mysqld_db_t, mysqld_log_t;
-		type mysqld_safe_t, mysqlmanagerd_t, mysqlmanagerd_var_run_t;
-		type mysqld_initrc_exec_t, mysqlmanagerd_initrc_exec_t, mysqld_home_t;
+		type mysqld_safe_t, mysqld_initrc_exec_t, mysqld_home_t;
 	')
 
-	allow $1 { mysqld_safe_t mysqld_t mysqlmanagerd_t }:process { ptrace signal_perms };
-	ps_process_pattern($1, { mysqld_safe_t mysqld_t mysqlmanagerd_t })
+	allow $1 { mysqld_safe_t mysqld_t }:process { ptrace signal_perms };
+	ps_process_pattern($1, { mysqld_safe_t mysqld_t })
 
 	init_startstop_service($1, $2, mysqld_t, mysqld_initrc_exec_t)
-	init_startstop_service($1, $2, mysqlmanagerd_t, mysqlmanagerd_initrc_exec_t)
 
 	files_search_pids($1)
-	admin_pattern($1, { mysqlmanagerd_var_run_t mysqld_var_run_t })
+	admin_pattern($1, mysqld_var_run_t)
 
 	files_search_var_lib($1)
 	admin_pattern($1, mysqld_db_t)
diff --git a/mysql.te b/mysql.te
index 04d9c9e9..9f612888 100644
--- a/mysql.te
+++ b/mysql.te
@@ -50,16 +50,6 @@ files_tmp_file(mysqld_tmp_t)
 type mysqld_unit_t;
 init_unit_file(mysqld_unit_t)
 
-type mysqlmanagerd_t;
-type mysqlmanagerd_exec_t;
-init_daemon_domain(mysqlmanagerd_t, mysqlmanagerd_exec_t)
-
-type mysqlmanagerd_initrc_exec_t;
-init_script_file(mysqlmanagerd_initrc_exec_t)
-
-type mysqlmanagerd_var_run_t;
-files_pid_file(mysqlmanagerd_var_run_t)
-
 ########################################
 #
 # Local policy
@@ -210,55 +200,3 @@ userdom_search_user_home_dirs(mysqld_safe_t)
 optional_policy(`
 	hostname_exec(mysqld_safe_t)
 ')
-
-########################################
-#
-# Manager local policy
-#
-
-allow mysqlmanagerd_t self:capability { dac_override kill };
-allow mysqlmanagerd_t self:process signal;
-allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
-allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms;
-allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms;
-
-allow mysqlmanagerd_t mysqld_t:process signal;
-
-allow mysqlmanagerd_t mysqld_etc_t:dir list_dir_perms;
-allow mysqlmanagerd_t { mysqld_etc_t mysqld_home_t }:file read_file_perms;
-allow mysqlmanagerd_t mysqld_etc_t:lnk_file read_lnk_file_perms;
-
-domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
-
-manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
-manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
-filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
-
-stream_connect_pattern(mysqlmanagerd_t, { mysqld_db_t mysqld_var_run_t }, mysqld_var_run_t, mysqld_t)
-
-kernel_read_system_state(mysqlmanagerd_t)
-
-corecmd_exec_shell(mysqlmanagerd_t)
-
-corenet_all_recvfrom_unlabeled(mysqlmanagerd_t)
-corenet_all_recvfrom_netlabel(mysqlmanagerd_t)
-corenet_tcp_sendrecv_generic_if(mysqlmanagerd_t)
-corenet_tcp_sendrecv_generic_node(mysqlmanagerd_t)
-corenet_tcp_bind_generic_node(mysqlmanagerd_t)
-
-corenet_sendrecv_mysqlmanagerd_server_packets(mysqlmanagerd_t)
-corenet_tcp_bind_mysqlmanagerd_port(mysqlmanagerd_t)
-corenet_sendrecv_mysqlmanagerd_client_packets(mysqlmanagerd_t)
-corenet_tcp_connect_mysqlmanagerd_port(mysqlmanagerd_t)
-corenet_tcp_sendrecv_mysqlmanagerd_port(mysqlmanagerd_t)
-
-dev_read_urand(mysqlmanagerd_t)
-
-files_read_etc_files(mysqlmanagerd_t)
-files_read_usr_files(mysqlmanagerd_t)
-files_search_pids(mysqlmanagerd_t)
-files_search_var_lib(mysqlmanagerd_t)
-
-miscfiles_read_localization(mysqlmanagerd_t)
-
-userdom_search_user_home_dirs(mysqlmanagerd_t)
-- 
2.11.0