[refpolicy] [PATCH 0/2] Small MySQL updates

All of lore.kernel.org
 help / color / mirror / Atom feed

* [refpolicy] [PATCH 0/2] Small MySQL updates
@ 2012-10-31 21:18 Sven Vermeulen
  2012-10-31 21:18 ` [refpolicy] [PATCH 1/2] Support mysql init script Sven Vermeulen
  2012-10-31 21:18 ` [refpolicy] [PATCH 2/2] Support initial creation of mysql database files Sven Vermeulen
  0 siblings, 2 replies; 6+ messages in thread
From: Sven Vermeulen @ 2012-10-31 21:18 UTC (permalink / raw)
  To: refpolicy

While trying out MySQL with recent policies, two small fixes were needed to
support it: the context for the init script in Gentoo wasn't labeled properly,
and administrators will need to execute mysqld_exec_t resources (without
transitioning).

Sven Vermeulen (2):
  Support mysql init script
  Support initial creation of mysql database files

 mysql.fc |    2 +-
 mysql.if |    4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

-- 
1.7.8.6

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [refpolicy] [PATCH 1/2] Support mysql init script
  2012-10-31 21:18 [refpolicy] [PATCH 0/2] Small MySQL updates Sven Vermeulen
@ 2012-10-31 21:18 ` Sven Vermeulen
  2012-10-31 22:30   ` Dominick Grift
  2012-10-31 21:18 ` [refpolicy] [PATCH 2/2] Support initial creation of mysql database files Sven Vermeulen
  1 sibling, 1 reply; 6+ messages in thread
From: Sven Vermeulen @ 2012-10-31 21:18 UTC (permalink / raw)
  To: refpolicy

In Gentoo (and perhaps others as well), the init script for MySQL is called
"mysql" instead of "mysqld".

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 mysql.fc |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/mysql.fc b/mysql.fc
index be0d44b..c48dc17 100644
--- a/mysql.fc
+++ b/mysql.fc
@@ -3,7 +3,7 @@ HOME_DIR/\.my\.cnf	--	gen_context(system_u:object_r:mysqld_home_t,s0)
 /etc/my\.cnf	--	gen_context(system_u:object_r:mysqld_etc_t,s0)
 /etc/mysql(/.*)?	gen_context(system_u:object_r:mysqld_etc_t,s0)
 
-/etc/rc\.d/init\.d/mysqld	--	gen_context(system_u:object_r:mysqld_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mysqld?	--	gen_context(system_u:object_r:mysqld_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/mysqlmanager	--	gen_context(system_u:object_r:mysqlmanagerd_initrc_exec_t,s0)
 
 /usr/bin/mysqld_safe	--	gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
-- 
1.7.8.6

^ permalink raw reply related	[flat|nested] 6+ messages in thread

* [refpolicy] [PATCH 2/2] Support initial creation of mysql database files
  2012-10-31 21:18 [refpolicy] [PATCH 0/2] Small MySQL updates Sven Vermeulen
  2012-10-31 21:18 ` [refpolicy] [PATCH 1/2] Support mysql init script Sven Vermeulen
@ 2012-10-31 21:18 ` Sven Vermeulen
  2012-10-31 22:33   ` Dominick Grift
  1 sibling, 1 reply; 6+ messages in thread
From: Sven Vermeulen @ 2012-10-31 21:18 UTC (permalink / raw)
  To: refpolicy

The first thing a MySQL administrator has to do is to create the database
(files) themselves. This is done through the mysql_install_db command. However,
this command invokes mysqld to properly setup the environment.

This allow the calling domain of the administrator to execute (without
transitioning) the mysqld_exec_t resources (such as mysqld).

Without this, the installation fails with:

  FATAL ERROR: Could not find /usr/sbin/mysqld

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 mysql.if |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/mysql.if b/mysql.if
index 55249ff..7a80171 100644
--- a/mysql.if
+++ b/mysql.if
@@ -416,7 +416,7 @@ interface(`mysql_search_pid_files',`
 #
 interface(`mysql_admin',`
 	gen_require(`
-		type mysqld_t, mysqld_var_run_t, mysqld_etc_t;
+		type mysqld_t, mysqld_var_run_t, mysqld_etc_t, mysqld_exec_t;
 		type mysqld_tmp_t, mysqld_db_t, mysqld_log_t;
 		type mysqld_safe_t, mysqlmanagerd_t, mysqlmanagerd_var_run_t;
 		type mysqld_initrc_exec_t, mysqlmanagerd_initrc_exec_t;
@@ -430,6 +430,8 @@ interface(`mysql_admin',`
 	role_transition $2 { mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t } system_r;
 	allow $2 system_r;
 
+	can_exec($1, mysqld_exec_t)
+
 	files_search_pids($1)
 	admin_pattern($1, { mysqlmanagerd_var_run_t mysqld_var_run_t })
 
-- 
1.7.8.6

^ permalink raw reply related	[flat|nested] 6+ messages in thread

* [refpolicy] [PATCH 1/2] Support mysql init script
  2012-10-31 21:18 ` [refpolicy] [PATCH 1/2] Support mysql init script Sven Vermeulen
@ 2012-10-31 22:30   ` Dominick Grift
  0 siblings, 0 replies; 6+ messages in thread
From: Dominick Grift @ 2012-10-31 22:30 UTC (permalink / raw)
  To: refpolicy



On Wed, 2012-10-31 at 22:18 +0100, Sven Vermeulen wrote:
> In Gentoo (and perhaps others as well), the init script for MySQL is called
> "mysql" instead of "mysqld".
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  mysql.fc |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 
> diff --git a/mysql.fc b/mysql.fc
> index be0d44b..c48dc17 100644
> --- a/mysql.fc
> +++ b/mysql.fc
> @@ -3,7 +3,7 @@ HOME_DIR/\.my\.cnf	--	gen_context(system_u:object_r:mysqld_home_t,s0)
>  /etc/my\.cnf	--	gen_context(system_u:object_r:mysqld_etc_t,s0)
>  /etc/mysql(/.*)?	gen_context(system_u:object_r:mysqld_etc_t,s0)
>  
> -/etc/rc\.d/init\.d/mysqld	--	gen_context(system_u:object_r:mysqld_initrc_exec_t,s0)
> +/etc/rc\.d/init\.d/mysqld?	--	gen_context(system_u:object_r:mysqld_initrc_exec_t,s0)
>  /etc/rc\.d/init\.d/mysqlmanager	--	gen_context(system_u:object_r:mysqlmanagerd_initrc_exec_t,s0)
>  
>  /usr/bin/mysqld_safe	--	gen_context(system_u:object_r:mysqld_safe_exec_t,s0)

merged, thanks

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [refpolicy] [PATCH 2/2] Support initial creation of mysql database files
  2012-10-31 21:18 ` [refpolicy] [PATCH 2/2] Support initial creation of mysql database files Sven Vermeulen
@ 2012-10-31 22:33   ` Dominick Grift
  2012-11-01  9:03     ` Sven Vermeulen
  0 siblings, 1 reply; 6+ messages in thread
From: Dominick Grift @ 2012-10-31 22:33 UTC (permalink / raw)
  To: refpolicy



On Wed, 2012-10-31 at 22:18 +0100, Sven Vermeulen wrote:
> The first thing a MySQL administrator has to do is to create the database
> (files) themselves. This is done through the mysql_install_db command. However,
> this command invokes mysqld to properly setup the environment.
> 
> This allow the calling domain of the administrator to execute (without
> transitioning) the mysqld_exec_t resources (such as mysqld).
> 
> Without this, the installation fails with:
> 
>   FATAL ERROR: Could not find /usr/sbin/mysqld
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  mysql.if |    4 +++-
>  1 files changed, 3 insertions(+), 1 deletions(-)
> 
> diff --git a/mysql.if b/mysql.if
> index 55249ff..7a80171 100644
> --- a/mysql.if
> +++ b/mysql.if
> @@ -416,7 +416,7 @@ interface(`mysql_search_pid_files',`
>  #
>  interface(`mysql_admin',`
>  	gen_require(`
> -		type mysqld_t, mysqld_var_run_t, mysqld_etc_t;
> +		type mysqld_t, mysqld_var_run_t, mysqld_etc_t, mysqld_exec_t;
>  		type mysqld_tmp_t, mysqld_db_t, mysqld_log_t;
>  		type mysqld_safe_t, mysqlmanagerd_t, mysqlmanagerd_var_run_t;
>  		type mysqld_initrc_exec_t, mysqlmanagerd_initrc_exec_t;
> @@ -430,6 +430,8 @@ interface(`mysql_admin',`
>  	role_transition $2 { mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t } system_r;
>  	allow $2 system_r;
>  
> +	can_exec($1, mysqld_exec_t)
> +
>  	files_search_pids($1)
>  	admin_pattern($1, { mysqlmanagerd_var_run_t mysqld_var_run_t })
>  

You tested this with userdom_base_user_template(dbadm) or with sysadm_r?

I think we may need a mysql_run_mysqld instead?

For how i merged this though, thanks

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [refpolicy] [PATCH 2/2] Support initial creation of mysql database files
  2012-10-31 22:33   ` Dominick Grift
@ 2012-11-01  9:03     ` Sven Vermeulen
  0 siblings, 0 replies; 6+ messages in thread
From: Sven Vermeulen @ 2012-11-01  9:03 UTC (permalink / raw)
  To: refpolicy

On Wed, Oct 31, 2012 at 11:33:07PM +0100, Dominick Grift wrote:
> You tested this with userdom_base_user_template(dbadm) or with sysadm_r?

With sysadm_r

> I think we may need a mysql_run_mysqld instead?

You mean, provide him with both mysql_admin and mysql_run_mysqld? I don't
see a need (yet) for having a separate mysql_run_mysqld currently.

Wkr,
	Sven Vermeulen

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2012-11-01  9:03 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-10-31 21:18 [refpolicy] [PATCH 0/2] Small MySQL updates Sven Vermeulen
2012-10-31 21:18 ` [refpolicy] [PATCH 1/2] Support mysql init script Sven Vermeulen
2012-10-31 22:30   ` Dominick Grift
2012-10-31 21:18 ` [refpolicy] [PATCH 2/2] Support initial creation of mysql database files Sven Vermeulen
2012-10-31 22:33   ` Dominick Grift
2012-11-01  9:03     ` Sven Vermeulen

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.