From: pebenito@ieee.org (Chris PeBenito) Date: Thu, 8 Jun 2017 18:43:14 -0400 Subject: [refpolicy] [PATCH 1/3] mysql: remove mysqlmanager policy In-Reply-To: <20170608171700.27086-1-cgzones@googlemail.com> References: <20170608171700.27086-1-cgzones@googlemail.com> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 06/08/2017 01:16 PM, Christian G?ttsche via refpolicy wrote: > From: cgzones > > mysqlmanager was removed by mysql 5.5 Does mariadb have the same or equivalent command? If so this should be kept. > --- > mysql.fc | 5 ----- > mysql.if | 10 ++++------ > mysql.te | 62 -------------------------------------------------------------- > 3 files changed, 4 insertions(+), 73 deletions(-) > > diff --git a/mysql.fc b/mysql.fc > index 4afe8eba..50e7dba8 100644 > --- a/mysql.fc > +++ b/mysql.fc > @@ -5,12 +5,10 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0) > /etc/mysql(/.*)? gen_context(system_u:object_r:mysqld_etc_t,s0) > > /etc/rc\.d/init\.d/mysqld? -- gen_context(system_u:object_r:mysqld_initrc_exec_t,s0) > -/etc/rc\.d/init\.d/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_initrc_exec_t,s0) > > /usr/bin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0) > /usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0) > /usr/bin/mysql_upgrade -- gen_context(system_u:object_r:mysqld_exec_t,s0) > -/usr/bin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0) > /usr/bin/ndbd -- gen_context(system_u:object_r:mysqld_exec_t,s0) > > /usr/lib/systemd/system/mysqld.*\.service -- gen_context(system_u:object_r:mysqld_unit_t,s0) > @@ -18,7 +16,6 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0) > /usr/libexec/mysqld -- gen_context(system_u:object_r:mysqld_exec_t,s0) > > /usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0) > -/usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0) > /usr/sbin/ndbd -- gen_context(system_u:object_r:mysqld_exec_t,s0) > > /var/lib/mysql(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0) > @@ -28,5 +25,3 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0) > /var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0) > > /run/mysqld.* gen_context(system_u:object_r:mysqld_var_run_t,s0) > -/run/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0) > -/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0) > diff --git a/mysql.if b/mysql.if > index 83badcf6..1d30f6e0 100644 > --- a/mysql.if > +++ b/mysql.if > @@ -443,18 +443,16 @@ interface(`mysql_admin',` > gen_require(` > type mysqld_t, mysqld_var_run_t, mysqld_etc_t; > type mysqld_tmp_t, mysqld_db_t, mysqld_log_t; > - type mysqld_safe_t, mysqlmanagerd_t, mysqlmanagerd_var_run_t; > - type mysqld_initrc_exec_t, mysqlmanagerd_initrc_exec_t, mysqld_home_t; > + type mysqld_safe_t, mysqld_initrc_exec_t, mysqld_home_t; > ') > > - allow $1 { mysqld_safe_t mysqld_t mysqlmanagerd_t }:process { ptrace signal_perms }; > - ps_process_pattern($1, { mysqld_safe_t mysqld_t mysqlmanagerd_t }) > + allow $1 { mysqld_safe_t mysqld_t }:process { ptrace signal_perms }; > + ps_process_pattern($1, { mysqld_safe_t mysqld_t }) > > init_startstop_service($1, $2, mysqld_t, mysqld_initrc_exec_t) > - init_startstop_service($1, $2, mysqlmanagerd_t, mysqlmanagerd_initrc_exec_t) > > files_search_pids($1) > - admin_pattern($1, { mysqlmanagerd_var_run_t mysqld_var_run_t }) > + admin_pattern($1, mysqld_var_run_t) > > files_search_var_lib($1) > admin_pattern($1, mysqld_db_t) > diff --git a/mysql.te b/mysql.te > index 04d9c9e9..9f612888 100644 > --- a/mysql.te > +++ b/mysql.te > @@ -50,16 +50,6 @@ files_tmp_file(mysqld_tmp_t) > type mysqld_unit_t; > init_unit_file(mysqld_unit_t) > > -type mysqlmanagerd_t; > -type mysqlmanagerd_exec_t; > -init_daemon_domain(mysqlmanagerd_t, mysqlmanagerd_exec_t) > - > -type mysqlmanagerd_initrc_exec_t; > -init_script_file(mysqlmanagerd_initrc_exec_t) > - > -type mysqlmanagerd_var_run_t; > -files_pid_file(mysqlmanagerd_var_run_t) > - > ######################################## > # > # Local policy > @@ -210,55 +200,3 @@ userdom_search_user_home_dirs(mysqld_safe_t) > optional_policy(` > hostname_exec(mysqld_safe_t) > ') > - > -######################################## > -# > -# Manager local policy > -# > - > -allow mysqlmanagerd_t self:capability { dac_override kill }; > -allow mysqlmanagerd_t self:process signal; > -allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms; > -allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms; > -allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms; > - > -allow mysqlmanagerd_t mysqld_t:process signal; > - > -allow mysqlmanagerd_t mysqld_etc_t:dir list_dir_perms; > -allow mysqlmanagerd_t { mysqld_etc_t mysqld_home_t }:file read_file_perms; > -allow mysqlmanagerd_t mysqld_etc_t:lnk_file read_lnk_file_perms; > - > -domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t) > - > -manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) > -manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) > -filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file }) > - > -stream_connect_pattern(mysqlmanagerd_t, { mysqld_db_t mysqld_var_run_t }, mysqld_var_run_t, mysqld_t) > - > -kernel_read_system_state(mysqlmanagerd_t) > - > -corecmd_exec_shell(mysqlmanagerd_t) > - > -corenet_all_recvfrom_unlabeled(mysqlmanagerd_t) > -corenet_all_recvfrom_netlabel(mysqlmanagerd_t) > -corenet_tcp_sendrecv_generic_if(mysqlmanagerd_t) > -corenet_tcp_sendrecv_generic_node(mysqlmanagerd_t) > -corenet_tcp_bind_generic_node(mysqlmanagerd_t) > - > -corenet_sendrecv_mysqlmanagerd_server_packets(mysqlmanagerd_t) > -corenet_tcp_bind_mysqlmanagerd_port(mysqlmanagerd_t) > -corenet_sendrecv_mysqlmanagerd_client_packets(mysqlmanagerd_t) > -corenet_tcp_connect_mysqlmanagerd_port(mysqlmanagerd_t) > -corenet_tcp_sendrecv_mysqlmanagerd_port(mysqlmanagerd_t) > - > -dev_read_urand(mysqlmanagerd_t) > - > -files_read_etc_files(mysqlmanagerd_t) > -files_read_usr_files(mysqlmanagerd_t) > -files_search_pids(mysqlmanagerd_t) > -files_search_var_lib(mysqlmanagerd_t) > - > -miscfiles_read_localization(mysqlmanagerd_t) > - > -userdom_search_user_home_dirs(mysqlmanagerd_t) > -- Chris PeBenito