While trying out MySQL with recent policies, two small fixes were needed to
support it: the context for the init script in Gentoo wasn't labeled properly,
and administrators will need to execute mysqld_exec_t resources (without
transitioning).
Sven Vermeulen (2):
Support mysql init script
Support initial creation of mysql database files
mysql.fc | 2 +-
mysql.if | 4 +++-
2 files changed, 4 insertions(+), 2 deletions(-)
--
1.7.8.6
In Gentoo (and perhaps others as well), the init script for MySQL is called
"mysql" instead of "mysqld".
Signed-off-by: Sven Vermeulen <[email protected]>
---
mysql.fc | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/mysql.fc b/mysql.fc
index be0d44b..c48dc17 100644
--- a/mysql.fc
+++ b/mysql.fc
@@ -3,7 +3,7 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0)
/etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0)
/etc/mysql(/.*)? gen_context(system_u:object_r:mysqld_etc_t,s0)
-/etc/rc\.d/init\.d/mysqld -- gen_context(system_u:object_r:mysqld_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mysqld? -- gen_context(system_u:object_r:mysqld_initrc_exec_t,s0)
/etc/rc\.d/init\.d/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_initrc_exec_t,s0)
/usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
--
1.7.8.6
The first thing a MySQL administrator has to do is to create the database
(files) themselves. This is done through the mysql_install_db command. However,
this command invokes mysqld to properly setup the environment.
This allow the calling domain of the administrator to execute (without
transitioning) the mysqld_exec_t resources (such as mysqld).
Without this, the installation fails with:
FATAL ERROR: Could not find /usr/sbin/mysqld
Signed-off-by: Sven Vermeulen <[email protected]>
---
mysql.if | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/mysql.if b/mysql.if
index 55249ff..7a80171 100644
--- a/mysql.if
+++ b/mysql.if
@@ -416,7 +416,7 @@ interface(`mysql_search_pid_files',`
#
interface(`mysql_admin',`
gen_require(`
- type mysqld_t, mysqld_var_run_t, mysqld_etc_t;
+ type mysqld_t, mysqld_var_run_t, mysqld_etc_t, mysqld_exec_t;
type mysqld_tmp_t, mysqld_db_t, mysqld_log_t;
type mysqld_safe_t, mysqlmanagerd_t, mysqlmanagerd_var_run_t;
type mysqld_initrc_exec_t, mysqlmanagerd_initrc_exec_t;
@@ -430,6 +430,8 @@ interface(`mysql_admin',`
role_transition $2 { mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t } system_r;
allow $2 system_r;
+ can_exec($1, mysqld_exec_t)
+
files_search_pids($1)
admin_pattern($1, { mysqlmanagerd_var_run_t mysqld_var_run_t })
--
1.7.8.6
On Wed, 2012-10-31 at 22:18 +0100, Sven Vermeulen wrote:
> In Gentoo (and perhaps others as well), the init script for MySQL is called
> "mysql" instead of "mysqld".
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> mysql.fc | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/mysql.fc b/mysql.fc
> index be0d44b..c48dc17 100644
> --- a/mysql.fc
> +++ b/mysql.fc
> @@ -3,7 +3,7 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0)
> /etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0)
> /etc/mysql(/.*)? gen_context(system_u:object_r:mysqld_etc_t,s0)
>
> -/etc/rc\.d/init\.d/mysqld -- gen_context(system_u:object_r:mysqld_initrc_exec_t,s0)
> +/etc/rc\.d/init\.d/mysqld? -- gen_context(system_u:object_r:mysqld_initrc_exec_t,s0)
> /etc/rc\.d/init\.d/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_initrc_exec_t,s0)
>
> /usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
merged, thanks
On Wed, 2012-10-31 at 22:18 +0100, Sven Vermeulen wrote:
> The first thing a MySQL administrator has to do is to create the database
> (files) themselves. This is done through the mysql_install_db command. However,
> this command invokes mysqld to properly setup the environment.
>
> This allow the calling domain of the administrator to execute (without
> transitioning) the mysqld_exec_t resources (such as mysqld).
>
> Without this, the installation fails with:
>
> FATAL ERROR: Could not find /usr/sbin/mysqld
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> mysql.if | 4 +++-
> 1 files changed, 3 insertions(+), 1 deletions(-)
>
> diff --git a/mysql.if b/mysql.if
> index 55249ff..7a80171 100644
> --- a/mysql.if
> +++ b/mysql.if
> @@ -416,7 +416,7 @@ interface(`mysql_search_pid_files',`
> #
> interface(`mysql_admin',`
> gen_require(`
> - type mysqld_t, mysqld_var_run_t, mysqld_etc_t;
> + type mysqld_t, mysqld_var_run_t, mysqld_etc_t, mysqld_exec_t;
> type mysqld_tmp_t, mysqld_db_t, mysqld_log_t;
> type mysqld_safe_t, mysqlmanagerd_t, mysqlmanagerd_var_run_t;
> type mysqld_initrc_exec_t, mysqlmanagerd_initrc_exec_t;
> @@ -430,6 +430,8 @@ interface(`mysql_admin',`
> role_transition $2 { mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t } system_r;
> allow $2 system_r;
>
> + can_exec($1, mysqld_exec_t)
> +
> files_search_pids($1)
> admin_pattern($1, { mysqlmanagerd_var_run_t mysqld_var_run_t })
>
You tested this with userdom_base_user_template(dbadm) or with sysadm_r?
I think we may need a mysql_run_mysqld instead?
For how i merged this though, thanks
On Wed, Oct 31, 2012 at 11:33:07PM +0100, Dominick Grift wrote:
> You tested this with userdom_base_user_template(dbadm) or with sysadm_r?
With sysadm_r
> I think we may need a mysql_run_mysqld instead?
You mean, provide him with both mysql_admin and mysql_run_mysqld? I don't
see a need (yet) for having a separate mysql_run_mysqld currently.
Wkr,
Sven Vermeulen