[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ - gentoo-commits

From:	Sven Vermeulen <sven.vermeulen@××××××.be>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date:	Fri, 02 Nov 2012 19:13:26
Message-Id:	`1351883310.5699bcbafb5cd98151592c881e49b653fa640352.SwifT@gentoo`

1

commit:     5699bcbafb5cd98151592c881e49b653fa640352

2

Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>

3

AuthorDate: Fri Nov  2 15:31:04 2012 +0000

4

Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

5

CommitDate: Fri Nov  2 19:08:30 2012 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=5699bcba

7

8

Changes to the mysql policy module

9

10

Adda  mysql_run_mysqld for mysql_admin() so that caller can run script

11

to create initial database.

12

13

Script runs mysqld and mysqld needs setuid

14

Script also checks for write on root_t needs to be

15

dontaudited/audit_access in dbadm policy module

16

17

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

18

19

---

20

 policy/modules/contrib/mysql.if |   31 ++++++++++++++++++++++++++++---

21

 policy/modules/contrib/mysql.te |    6 +++++-

22

 2 files changed, 33 insertions(+), 4 deletions(-)

23

24

diff --git a/policy/modules/contrib/mysql.if b/policy/modules/contrib/mysql.if

25

index c55d58c..590748a 100644

26

--- a/policy/modules/contrib/mysql.if

27

+++ b/policy/modules/contrib/mysql.if

28

@@ -40,6 +40,31 @@ interface(`mysql_domtrans',`

29

30

 ########################################

31

 ## <summary>

32

+##	Execute mysqld in the mysqld domain, and

33

+##	allow the specified role the mysqld domain.

34

+## </summary>

35

+## <param name="domain">

36

+##	<summary>

37

+##	Domain allowed to transition.

38

+##	</summary>

39

+## </param>

40

+## <param name="role">

41

+##	<summary>

42

+##	Role allowed access.

43

+##	</summary>

44

+## </param>

45

+#

46

+interface(`mysql_run_mysqld',`

47

+	gen_require(`

48

+		attribute_role mysqld_roles;

49

+	')

50

+

51

+	mysql_domtrans($1)

52

+	roleattribute $2 mysqld_roles;

53

+')

54

+

55

+########################################

56

+## <summary>

57

 ##	Send generic signals to mysqld.

58

 ## </summary>

59

 ## <param name="domain">

60

@@ -416,7 +441,7 @@ interface(`mysql_search_pid_files',`

61

#

62

 interface(`mysql_admin',`

63

 	gen_require(`

64

-		type mysqld_t, mysqld_var_run_t, mysqld_etc_t, mysqld_exec_t;

65

+		type mysqld_t, mysqld_var_run_t, mysqld_etc_t;

66

 		type mysqld_tmp_t, mysqld_db_t, mysqld_log_t;

67

 		type mysqld_safe_t, mysqlmanagerd_t, mysqlmanagerd_var_run_t;

68

 		type mysqld_initrc_exec_t, mysqlmanagerd_initrc_exec_t, mysqld_home_t;

69

@@ -430,8 +455,6 @@ interface(`mysql_admin',`

70

 	role_transition $2 { mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t } system_r;

71

 	allow $2 system_r;

72

73

-	can_exec($1, mysqld_exec_t)

74

-

75

 	files_search_pids($1)

76

 	admin_pattern($1, { mysqlmanagerd_var_run_t mysqld_var_run_t })

77

78

@@ -446,6 +469,8 @@ interface(`mysql_admin',`

79

80

 	files_search_tmp($1)

81

 	admin_pattern($1, mysqld_tmp_t)

82

+

83

+	mysql_run_mysqld($1, $2)

84

')

85

86

 #######################################

87

88

diff --git a/policy/modules/contrib/mysql.te b/policy/modules/contrib/mysql.te

89

index da6f8c5..b1880c6 100644

90

--- a/policy/modules/contrib/mysql.te

91

+++ b/policy/modules/contrib/mysql.te

92

@@ -1,4 +1,4 @@

93

-policy_module(mysql, 1.13.3)

94

+policy_module(mysql, 1.13.4)

95

96

 ########################################

97

#

98

@@ -13,9 +13,13 @@ policy_module(mysql, 1.13.3)

99

 ## </desc>

100

 gen_tunable(mysql_connect_any, false)

101

102

+attribute_role mysqld_roles;

103

+

104

 type mysqld_t;

105

 type mysqld_exec_t;

106

 init_daemon_domain(mysqld_t, mysqld_exec_t)

107

+application_domain(mysqld_t, mysqld_exec_t)

108

+role mysqld_roles types mysqld_t;

109

110

 type mysqld_safe_t;

111

 type mysqld_safe_exec_t;

1	commit: 5699bcbafb5cd98151592c881e49b653fa640352
2	Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
3	AuthorDate: Fri Nov 2 15:31:04 2012 +0000
4	Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5	CommitDate: Fri Nov 2 19:08:30 2012 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=5699bcba
7
8	Changes to the mysql policy module
9
10	Adda mysql_run_mysqld for mysql_admin() so that caller can run script
11	to create initial database.
12
13	Script runs mysqld and mysqld needs setuid
14	Script also checks for write on root_t needs to be
15	dontaudited/audit_access in dbadm policy module
16
17	Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
18
19	---
20	policy/modules/contrib/mysql.if \| 31 ++++++++++++++++++++++++++++---
21	policy/modules/contrib/mysql.te \| 6 +++++-
22	2 files changed, 33 insertions(+), 4 deletions(-)
23
24	diff --git a/policy/modules/contrib/mysql.if b/policy/modules/contrib/mysql.if
25	index c55d58c..590748a 100644
26	--- a/policy/modules/contrib/mysql.if
27	+++ b/policy/modules/contrib/mysql.if
28	@@ -40,6 +40,31 @@ interface(`mysql_domtrans',`
29
30	########################################
31	## <summary>
32	+## Execute mysqld in the mysqld domain, and
33	+## allow the specified role the mysqld domain.
34	+## </summary>
35	+## <param name="domain">
36	+## <summary>
37	+## Domain allowed to transition.
38	+## </summary>
39	+## </param>
40	+## <param name="role">
41	+## <summary>
42	+## Role allowed access.
43	+## </summary>
44	+## </param>
45	+#
46	+interface(`mysql_run_mysqld',`
47	+ gen_require(`
48	+ attribute_role mysqld_roles;
49	+ ')
50	+
51	+ mysql_domtrans($1)
52	+ roleattribute $2 mysqld_roles;
53	+')
54	+
55	+########################################
56	+## <summary>
57	## Send generic signals to mysqld.
58	## </summary>
59	## <param name="domain">
60	@@ -416,7 +441,7 @@ interface(`mysql_search_pid_files',`
61	#
62	interface(`mysql_admin',`
63	gen_require(`
64	- type mysqld_t, mysqld_var_run_t, mysqld_etc_t, mysqld_exec_t;
65	+ type mysqld_t, mysqld_var_run_t, mysqld_etc_t;
66	type mysqld_tmp_t, mysqld_db_t, mysqld_log_t;
67	type mysqld_safe_t, mysqlmanagerd_t, mysqlmanagerd_var_run_t;
68	type mysqld_initrc_exec_t, mysqlmanagerd_initrc_exec_t, mysqld_home_t;
69	@@ -430,8 +455,6 @@ interface(`mysql_admin',`
70	role_transition $2 { mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t } system_r;
71	allow $2 system_r;
72
73	- can_exec($1, mysqld_exec_t)
74	-
75	files_search_pids($1)
76	admin_pattern($1, { mysqlmanagerd_var_run_t mysqld_var_run_t })
77
78	@@ -446,6 +469,8 @@ interface(`mysql_admin',`
79
80	files_search_tmp($1)
81	admin_pattern($1, mysqld_tmp_t)
82	+
83	+ mysql_run_mysqld($1, $2)
84	')
85
86	#######################################
87
88	diff --git a/policy/modules/contrib/mysql.te b/policy/modules/contrib/mysql.te
89	index da6f8c5..b1880c6 100644
90	--- a/policy/modules/contrib/mysql.te
91	+++ b/policy/modules/contrib/mysql.te
92	@@ -1,4 +1,4 @@
93	-policy_module(mysql, 1.13.3)
94	+policy_module(mysql, 1.13.4)
95
96	########################################
97	#
98	@@ -13,9 +13,13 @@ policy_module(mysql, 1.13.3)
99	## </desc>
100	gen_tunable(mysql_connect_any, false)
101
102	+attribute_role mysqld_roles;
103	+
104	type mysqld_t;
105	type mysqld_exec_t;
106	init_daemon_domain(mysqld_t, mysqld_exec_t)
107	+application_domain(mysqld_t, mysqld_exec_t)
108	+role mysqld_roles types mysqld_t;
109
110	type mysqld_safe_t;
111	type mysqld_safe_exec_t;

Gentoo Archives: gentoo-commits