From: cgzones@googlemail.com (=?UTF-8?q?Christian=20G=C3=B6ttsche?=)
Date: Thu,  8 Jun 2017 19:17:00 +0200
Subject: [refpolicy] [PATCH 3/3] mysql: update
In-Reply-To: <20170608171700.27086-1-cgzones@googlemail.com>
References: <20170608171700.27086-1-cgzones@googlemail.com>
Message-ID: <20170608171700.27086-3-cgzones@googlemail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

From: cgzones <cgzones@googlemail.com>

---
 mysql.fc | 21 +++++++++------------
 mysql.if | 39 +++++++++++++++++++++------------------
 mysql.te | 43 ++++++++++++++++++++-----------------------
 3 files changed, 50 insertions(+), 53 deletions(-)

diff --git a/mysql.fc b/mysql.fc
index e706aebe..64b6e7af 100644
--- a/mysql.fc
+++ b/mysql.fc
@@ -1,27 +1,24 @@
 HOME_DIR/\.my\.cnf			--	gen_context(system_u:object_r:mysqld_home_t,s0)
 
-/etc/my\.cnf				--	gen_context(system_u:object_r:mysqld_etc_t,s0)
-/etc/my\.cnf\.d(/.*)?				gen_context(system_u:object_r:mysqld_etc_t,s0)
-/etc/mysql(/.*)?				gen_context(system_u:object_r:mysqld_etc_t,s0)
+/etc/my\.cnf				--	gen_context(system_u:object_r:mysqld_conf_t,s0)
+/etc/my\.cnf\.d(/.*)?				gen_context(system_u:object_r:mysqld_conf_t,s0)
+/etc/mysql(/.*)?				gen_context(system_u:object_r:mysqld_conf_t,s0)
 
 /etc/rc\.d/init\.d/mysqld?		--	gen_context(system_u:object_r:mysqld_initrc_exec_t,s0)
 
+/run/mysqld.*					gen_context(system_u:object_r:mysqld_runtime_t,s0)
+
 /usr/bin/mysqld(-max)?			--	gen_context(system_u:object_r:mysqld_exec_t,s0)
 /usr/bin/mysqld_safe			--	gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
-/usr/bin/mysql_upgrade			--	gen_context(system_u:object_r:mysqld_exec_t,s0)
 /usr/bin/ndbd				--	gen_context(system_u:object_r:mysqld_exec_t,s0)
 
-/usr/lib/systemd/system/mysqld.*\.service --	gen_context(system_u:object_r:mysqld_unit_t,s0)
-
-/usr/libexec/mysqld			--	gen_context(system_u:object_r:mysqld_exec_t,s0)
+/usr/lib/systemd/system/mysqld[^/]*\.service --	gen_context(system_u:object_r:mysqld_unit_t,s0)
+/usr/lib/systemd/system/mariadb[^/]*\.service -- gen_context(system_u:object_r:mysqld_unit_t,s0)
 
 /usr/sbin/mysqld(-max)?			--	gen_context(system_u:object_r:mysqld_exec_t,s0)
-/usr/sbin/ndbd				--	gen_context(system_u:object_r:mysqld_exec_t,s0)
 
 /var/lib/mysql(/.*)?				gen_context(system_u:object_r:mysqld_db_t,s0)
-/var/lib/mysql/mysql.*			-s	gen_context(system_u:object_r:mysqld_var_run_t,s0)
+/var/lib/mysql/mysql.*			-s	gen_context(system_u:object_r:mysqld_runtime_t,s0)
 
 /var/log/mariadb(/.*)?				gen_context(system_u:object_r:mysqld_log_t,s0)
-/var/log/mysql.*			--	gen_context(system_u:object_r:mysqld_log_t,s0)
-
-/run/mysqld.*					gen_context(system_u:object_r:mysqld_var_run_t,s0)
+/var/log/mysql(/.*)?				gen_context(system_u:object_r:mysqld_log_t,s0)
diff --git a/mysql.if b/mysql.if
index 1d30f6e0..b80f652a 100644
--- a/mysql.if
+++ b/mysql.if
@@ -30,6 +30,7 @@ interface(`mysql_role',`
 ## </param>
 #
 interface(`mysql_domtrans',`
+	refpolicywarn(`$0($*) has been deprecated')
 	gen_require(`
 		type mysqld_t, mysqld_exec_t;
 	')
@@ -55,6 +56,7 @@ interface(`mysql_domtrans',`
 ## </param>
 #
 interface(`mysql_run_mysqld',`
+	refpolicywarn(`$0($*) has been deprecated')
 	gen_require(`
 		attribute_role mysqld_roles;
 	')
@@ -116,11 +118,11 @@ interface(`mysql_tcp_connect',`
 #
 interface(`mysql_stream_connect',`
 	gen_require(`
-		type mysqld_t, mysqld_var_run_t, mysqld_db_t;
+		type mysqld_t, mysqld_runtime_t, mysqld_db_t;
 	')
 
 	files_search_pids($1)
-	stream_connect_pattern($1, { mysqld_db_t mysqld_var_run_t }, mysqld_var_run_t, mysqld_t)
+	stream_connect_pattern($1, { mysqld_db_t mysqld_runtime_t }, mysqld_runtime_t, mysqld_t)
 ')
 
 ########################################
@@ -136,13 +138,13 @@ interface(`mysql_stream_connect',`
 #
 interface(`mysql_read_config',`
 	gen_require(`
-		type mysqld_etc_t;
+		type mysqld_conf_t;
 	')
 
 	files_search_etc($1)
-	allow $1 mysqld_etc_t:dir list_dir_perms;
-	allow $1 mysqld_etc_t:file read_file_perms;
-	allow $1 mysqld_etc_t:lnk_file read_lnk_file_perms;
+	allow $1 mysqld_conf_t:dir list_dir_perms;
+	allow $1 mysqld_conf_t:file read_file_perms;
+	allow $1 mysqld_conf_t:lnk_file read_lnk_file_perms;
 ')
 
 ########################################
@@ -355,6 +357,8 @@ interface(`mysql_home_filetrans_mysqld_home',`
 ## </param>
 #
 interface(`mysql_write_log',`
+	refpolicywarn(`$0($*) has been deprecated.')
+
 	gen_require(`
 		type mysqld_log_t;
 	')
@@ -395,11 +399,11 @@ interface(`mysql_domtrans_mysql_safe',`
 #
 interface(`mysql_read_pid_files',`
 	gen_require(`
-		type mysqld_var_run_t;
+		type mysqld_runtime_t;
 	')
 
 	files_search_pids($1)
-	read_files_pattern($1, mysqld_var_run_t, mysqld_var_run_t)
+	read_files_pattern($1, mysqld_runtime_t, mysqld_runtime_t)
 ')
 
 #####################################
@@ -415,11 +419,11 @@ interface(`mysql_read_pid_files',`
 #
 interface(`mysql_search_pid_files',`
 	gen_require(`
-		type mysqld_var_run_t;
+		type mysqld_runtime_t;
 	')
 
 	files_search_pids($1)
-	search_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t)
+	search_dirs_pattern($1, mysqld_runtime_t, mysqld_runtime_t)
 ')
 
 ########################################
@@ -441,30 +445,29 @@ interface(`mysql_search_pid_files',`
 #
 interface(`mysql_admin',`
 	gen_require(`
-		type mysqld_t, mysqld_var_run_t, mysqld_etc_t;
+		type mysqld_t, mysqld_runtime_t, mysqld_conf_t;
 		type mysqld_tmp_t, mysqld_db_t, mysqld_log_t;
 		type mysqld_safe_t, mysqld_initrc_exec_t, mysqld_home_t;
+		type mysqld_unit_t;
 	')
 
-	allow $1 { mysqld_safe_t mysqld_t }:process { ptrace signal_perms };
-	ps_process_pattern($1, { mysqld_safe_t mysqld_t })
+	admin_process_pattern($1, { mysqld_safe_t mysqld_t })
+	allow $1 mysqld_t:unix_stream_socket connectto;
 
-	init_startstop_service($1, $2, mysqld_t, mysqld_initrc_exec_t)
+	init_startstop_service($1, $2, mysqld_t, mysqld_initrc_exec_t, mysqld_unit_t)
 
 	files_search_pids($1)
-	admin_pattern($1, mysqld_var_run_t)
+	admin_pattern($1, mysqld_runtime_t)
 
 	files_search_var_lib($1)
 	admin_pattern($1, mysqld_db_t)
 
 	files_search_etc($1)
-	admin_pattern($1, { mysqld_etc_t mysqld_home_t })
+	admin_pattern($1, { mysqld_conf_t mysqld_home_t })
 
 	logging_search_logs($1)
 	admin_pattern($1, mysqld_log_t)
 
 	files_search_tmp($1)
 	admin_pattern($1, mysqld_tmp_t)
-
-	mysql_run_mysqld($1, $2)
 ')
diff --git a/mysql.te b/mysql.te
index 9f612888..f8469b29 100644
--- a/mysql.te
+++ b/mysql.te
@@ -18,22 +18,20 @@ attribute_role mysqld_roles;
 type mysqld_t;
 type mysqld_exec_t;
 init_daemon_domain(mysqld_t, mysqld_exec_t)
-application_domain(mysqld_t, mysqld_exec_t)
 role mysqld_roles types mysqld_t;
 
 type mysqld_safe_t;
 type mysqld_safe_exec_t;
 init_daemon_domain(mysqld_safe_t, mysqld_safe_exec_t)
 
-type mysqld_var_run_t;
-files_pid_file(mysqld_var_run_t)
-init_daemon_pid_file(mysqld_var_run_t, dir, "mysqld")
+type mysqld_runtime_t alias mysqld_var_run_t;
+init_daemon_pid_file(mysqld_runtime_t, dir, "mysqld")
 
 type mysqld_db_t;
 files_type(mysqld_db_t)
 
-type mysqld_etc_t alias etc_mysqld_t;
-files_config_file(mysqld_etc_t)
+type mysqld_conf_t alias mysqld_etc_t;
+files_config_file(mysqld_conf_t)
 
 type mysqld_home_t;
 userdom_user_home_content(mysqld_home_t)
@@ -66,27 +64,25 @@ allow mysqld_t self:tcp_socket { accept listen };
 manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
 manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
 manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
-files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file })
 
-filetrans_pattern(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file)
+filetrans_pattern(mysqld_t, mysqld_db_t, mysqld_runtime_t, sock_file)
 
-allow mysqld_t mysqld_etc_t:dir list_dir_perms;
-allow mysqld_t { mysqld_etc_t mysqld_home_t }:file read_file_perms;
-allow mysqld_t mysqld_etc_t:lnk_file read_lnk_file_perms;
+allow mysqld_t mysqld_conf_t:dir list_dir_perms;
+allow mysqld_t { mysqld_conf_t mysqld_home_t }:file read_file_perms;
+allow mysqld_t mysqld_conf_t:lnk_file read_lnk_file_perms;
 
-manage_dirs_pattern(mysqld_t, mysqld_log_t, mysqld_log_t)
-manage_files_pattern(mysqld_t, mysqld_log_t, mysqld_log_t)
-manage_lnk_files_pattern(mysqld_t, mysqld_log_t, mysqld_log_t)
+allow mysqld_t mysqld_log_t:dir { add_entry_dir_perms create };
+allow mysqld_t mysqld_log_t:file { append_file_perms create };
 logging_log_filetrans(mysqld_t, mysqld_log_t, { dir file })
 
 manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
 manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
 files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir })
 
-manage_dirs_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
-manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
-manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
-files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file })
+manage_dirs_pattern(mysqld_t, mysqld_runtime_t, mysqld_runtime_t)
+manage_files_pattern(mysqld_t, mysqld_runtime_t, mysqld_runtime_t)
+manage_sock_files_pattern(mysqld_t, mysqld_runtime_t, mysqld_runtime_t)
+files_pid_filetrans(mysqld_t, mysqld_runtime_t, { dir file sock_file })
 
 kernel_read_kernel_sysctls(mysqld_t)
 kernel_read_network_state(mysqld_t)
@@ -119,6 +115,7 @@ fs_rw_hugetlbfs_files(mysqld_t)
 
 files_read_etc_runtime_files(mysqld_t)
 files_read_usr_files(mysqld_t)
+files_search_var_lib(mysqld_t)
 
 auth_use_nsswitch(mysqld_t)
 
@@ -161,17 +158,17 @@ allow mysqld_safe_t mysqld_t:process { signull sigkill };
 read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
 manage_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
 
-allow mysqld_safe_t mysqld_etc_t:dir list_dir_perms;
-allow mysqld_safe_t { mysqld_etc_t mysqld_home_t }:file read_file_perms;
-allow mysqld_safe_t mysqld_etc_t:lnk_file read_lnk_file_perms;
+allow mysqld_safe_t mysqld_conf_t:dir list_dir_perms;
+allow mysqld_safe_t { mysqld_conf_t mysqld_home_t }:file read_file_perms;
+allow mysqld_safe_t mysqld_conf_t:lnk_file read_lnk_file_perms;
 
 list_dirs_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
 manage_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
 manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
 logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
 
-manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
-delete_sock_files_pattern(mysqld_safe_t, { mysqld_db_t mysqld_var_run_t }, mysqld_var_run_t)
+manage_files_pattern(mysqld_safe_t, mysqld_runtime_t, mysqld_runtime_t)
+delete_sock_files_pattern(mysqld_safe_t, { mysqld_db_t mysqld_runtime_t }, mysqld_runtime_t)
 
 domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
 
-- 
2.11.0