1 |
commit: 5699bcbafb5cd98151592c881e49b653fa640352 |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Fri Nov 2 15:31:04 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Fri Nov 2 19:08:30 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=5699bcba |
7 |
|
8 |
Changes to the mysql policy module |
9 |
|
10 |
Adda mysql_run_mysqld for mysql_admin() so that caller can run script |
11 |
to create initial database. |
12 |
|
13 |
Script runs mysqld and mysqld needs setuid |
14 |
Script also checks for write on root_t needs to be |
15 |
dontaudited/audit_access in dbadm policy module |
16 |
|
17 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
18 |
|
19 |
--- |
20 |
policy/modules/contrib/mysql.if | 31 ++++++++++++++++++++++++++++--- |
21 |
policy/modules/contrib/mysql.te | 6 +++++- |
22 |
2 files changed, 33 insertions(+), 4 deletions(-) |
23 |
|
24 |
diff --git a/policy/modules/contrib/mysql.if b/policy/modules/contrib/mysql.if |
25 |
index c55d58c..590748a 100644 |
26 |
--- a/policy/modules/contrib/mysql.if |
27 |
+++ b/policy/modules/contrib/mysql.if |
28 |
@@ -40,6 +40,31 @@ interface(`mysql_domtrans',` |
29 |
|
30 |
######################################## |
31 |
## <summary> |
32 |
+## Execute mysqld in the mysqld domain, and |
33 |
+## allow the specified role the mysqld domain. |
34 |
+## </summary> |
35 |
+## <param name="domain"> |
36 |
+## <summary> |
37 |
+## Domain allowed to transition. |
38 |
+## </summary> |
39 |
+## </param> |
40 |
+## <param name="role"> |
41 |
+## <summary> |
42 |
+## Role allowed access. |
43 |
+## </summary> |
44 |
+## </param> |
45 |
+# |
46 |
+interface(`mysql_run_mysqld',` |
47 |
+ gen_require(` |
48 |
+ attribute_role mysqld_roles; |
49 |
+ ') |
50 |
+ |
51 |
+ mysql_domtrans($1) |
52 |
+ roleattribute $2 mysqld_roles; |
53 |
+') |
54 |
+ |
55 |
+######################################## |
56 |
+## <summary> |
57 |
## Send generic signals to mysqld. |
58 |
## </summary> |
59 |
## <param name="domain"> |
60 |
@@ -416,7 +441,7 @@ interface(`mysql_search_pid_files',` |
61 |
# |
62 |
interface(`mysql_admin',` |
63 |
gen_require(` |
64 |
- type mysqld_t, mysqld_var_run_t, mysqld_etc_t, mysqld_exec_t; |
65 |
+ type mysqld_t, mysqld_var_run_t, mysqld_etc_t; |
66 |
type mysqld_tmp_t, mysqld_db_t, mysqld_log_t; |
67 |
type mysqld_safe_t, mysqlmanagerd_t, mysqlmanagerd_var_run_t; |
68 |
type mysqld_initrc_exec_t, mysqlmanagerd_initrc_exec_t, mysqld_home_t; |
69 |
@@ -430,8 +455,6 @@ interface(`mysql_admin',` |
70 |
role_transition $2 { mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t } system_r; |
71 |
allow $2 system_r; |
72 |
|
73 |
- can_exec($1, mysqld_exec_t) |
74 |
- |
75 |
files_search_pids($1) |
76 |
admin_pattern($1, { mysqlmanagerd_var_run_t mysqld_var_run_t }) |
77 |
|
78 |
@@ -446,6 +469,8 @@ interface(`mysql_admin',` |
79 |
|
80 |
files_search_tmp($1) |
81 |
admin_pattern($1, mysqld_tmp_t) |
82 |
+ |
83 |
+ mysql_run_mysqld($1, $2) |
84 |
') |
85 |
|
86 |
####################################### |
87 |
|
88 |
diff --git a/policy/modules/contrib/mysql.te b/policy/modules/contrib/mysql.te |
89 |
index da6f8c5..b1880c6 100644 |
90 |
--- a/policy/modules/contrib/mysql.te |
91 |
+++ b/policy/modules/contrib/mysql.te |
92 |
@@ -1,4 +1,4 @@ |
93 |
-policy_module(mysql, 1.13.3) |
94 |
+policy_module(mysql, 1.13.4) |
95 |
|
96 |
######################################## |
97 |
# |
98 |
@@ -13,9 +13,13 @@ policy_module(mysql, 1.13.3) |
99 |
## </desc> |
100 |
gen_tunable(mysql_connect_any, false) |
101 |
|
102 |
+attribute_role mysqld_roles; |
103 |
+ |
104 |
type mysqld_t; |
105 |
type mysqld_exec_t; |
106 |
init_daemon_domain(mysqld_t, mysqld_exec_t) |
107 |
+application_domain(mysqld_t, mysqld_exec_t) |
108 |
+role mysqld_roles types mysqld_t; |
109 |
|
110 |
type mysqld_safe_t; |
111 |
type mysqld_safe_exec_t; |