* [refpolicy] [PATCH 0/2] Small MySQL updates @ 2012-10-31 21:18 Sven Vermeulen 2012-10-31 21:18 ` [refpolicy] [PATCH 1/2] Support mysql init script Sven Vermeulen 2012-10-31 21:18 ` [refpolicy] [PATCH 2/2] Support initial creation of mysql database files Sven Vermeulen 0 siblings, 2 replies; 6+ messages in thread From: Sven Vermeulen @ 2012-10-31 21:18 UTC (permalink / raw) To: refpolicy While trying out MySQL with recent policies, two small fixes were needed to support it: the context for the init script in Gentoo wasn't labeled properly, and administrators will need to execute mysqld_exec_t resources (without transitioning). Sven Vermeulen (2): Support mysql init script Support initial creation of mysql database files mysql.fc | 2 +- mysql.if | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) -- 1.7.8.6 ^ permalink raw reply [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH 1/2] Support mysql init script 2012-10-31 21:18 [refpolicy] [PATCH 0/2] Small MySQL updates Sven Vermeulen @ 2012-10-31 21:18 ` Sven Vermeulen 2012-10-31 22:30 ` Dominick Grift 2012-10-31 21:18 ` [refpolicy] [PATCH 2/2] Support initial creation of mysql database files Sven Vermeulen 1 sibling, 1 reply; 6+ messages in thread From: Sven Vermeulen @ 2012-10-31 21:18 UTC (permalink / raw) To: refpolicy In Gentoo (and perhaps others as well), the init script for MySQL is called "mysql" instead of "mysqld". Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be> --- mysql.fc | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/mysql.fc b/mysql.fc index be0d44b..c48dc17 100644 --- a/mysql.fc +++ b/mysql.fc @@ -3,7 +3,7 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0) /etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0) /etc/mysql(/.*)? gen_context(system_u:object_r:mysqld_etc_t,s0) -/etc/rc\.d/init\.d/mysqld -- gen_context(system_u:object_r:mysqld_initrc_exec_t,s0) +/etc/rc\.d/init\.d/mysqld? -- gen_context(system_u:object_r:mysqld_initrc_exec_t,s0) /etc/rc\.d/init\.d/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_initrc_exec_t,s0) /usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0) -- 1.7.8.6 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH 1/2] Support mysql init script 2012-10-31 21:18 ` [refpolicy] [PATCH 1/2] Support mysql init script Sven Vermeulen @ 2012-10-31 22:30 ` Dominick Grift 0 siblings, 0 replies; 6+ messages in thread From: Dominick Grift @ 2012-10-31 22:30 UTC (permalink / raw) To: refpolicy On Wed, 2012-10-31 at 22:18 +0100, Sven Vermeulen wrote: > In Gentoo (and perhaps others as well), the init script for MySQL is called > "mysql" instead of "mysqld". > > Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be> > --- > mysql.fc | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > > diff --git a/mysql.fc b/mysql.fc > index be0d44b..c48dc17 100644 > --- a/mysql.fc > +++ b/mysql.fc > @@ -3,7 +3,7 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0) > /etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0) > /etc/mysql(/.*)? gen_context(system_u:object_r:mysqld_etc_t,s0) > > -/etc/rc\.d/init\.d/mysqld -- gen_context(system_u:object_r:mysqld_initrc_exec_t,s0) > +/etc/rc\.d/init\.d/mysqld? -- gen_context(system_u:object_r:mysqld_initrc_exec_t,s0) > /etc/rc\.d/init\.d/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_initrc_exec_t,s0) > > /usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0) merged, thanks ^ permalink raw reply [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH 2/2] Support initial creation of mysql database files 2012-10-31 21:18 [refpolicy] [PATCH 0/2] Small MySQL updates Sven Vermeulen 2012-10-31 21:18 ` [refpolicy] [PATCH 1/2] Support mysql init script Sven Vermeulen @ 2012-10-31 21:18 ` Sven Vermeulen 2012-10-31 22:33 ` Dominick Grift 1 sibling, 1 reply; 6+ messages in thread From: Sven Vermeulen @ 2012-10-31 21:18 UTC (permalink / raw) To: refpolicy The first thing a MySQL administrator has to do is to create the database (files) themselves. This is done through the mysql_install_db command. However, this command invokes mysqld to properly setup the environment. This allow the calling domain of the administrator to execute (without transitioning) the mysqld_exec_t resources (such as mysqld). Without this, the installation fails with: FATAL ERROR: Could not find /usr/sbin/mysqld Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be> --- mysql.if | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) diff --git a/mysql.if b/mysql.if index 55249ff..7a80171 100644 --- a/mysql.if +++ b/mysql.if @@ -416,7 +416,7 @@ interface(`mysql_search_pid_files',` # interface(`mysql_admin',` gen_require(` - type mysqld_t, mysqld_var_run_t, mysqld_etc_t; + type mysqld_t, mysqld_var_run_t, mysqld_etc_t, mysqld_exec_t; type mysqld_tmp_t, mysqld_db_t, mysqld_log_t; type mysqld_safe_t, mysqlmanagerd_t, mysqlmanagerd_var_run_t; type mysqld_initrc_exec_t, mysqlmanagerd_initrc_exec_t; @@ -430,6 +430,8 @@ interface(`mysql_admin',` role_transition $2 { mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t } system_r; allow $2 system_r; + can_exec($1, mysqld_exec_t) + files_search_pids($1) admin_pattern($1, { mysqlmanagerd_var_run_t mysqld_var_run_t }) -- 1.7.8.6 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH 2/2] Support initial creation of mysql database files 2012-10-31 21:18 ` [refpolicy] [PATCH 2/2] Support initial creation of mysql database files Sven Vermeulen @ 2012-10-31 22:33 ` Dominick Grift 2012-11-01 9:03 ` Sven Vermeulen 0 siblings, 1 reply; 6+ messages in thread From: Dominick Grift @ 2012-10-31 22:33 UTC (permalink / raw) To: refpolicy On Wed, 2012-10-31 at 22:18 +0100, Sven Vermeulen wrote: > The first thing a MySQL administrator has to do is to create the database > (files) themselves. This is done through the mysql_install_db command. However, > this command invokes mysqld to properly setup the environment. > > This allow the calling domain of the administrator to execute (without > transitioning) the mysqld_exec_t resources (such as mysqld). > > Without this, the installation fails with: > > FATAL ERROR: Could not find /usr/sbin/mysqld > > Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be> > --- > mysql.if | 4 +++- > 1 files changed, 3 insertions(+), 1 deletions(-) > > diff --git a/mysql.if b/mysql.if > index 55249ff..7a80171 100644 > --- a/mysql.if > +++ b/mysql.if > @@ -416,7 +416,7 @@ interface(`mysql_search_pid_files',` > # > interface(`mysql_admin',` > gen_require(` > - type mysqld_t, mysqld_var_run_t, mysqld_etc_t; > + type mysqld_t, mysqld_var_run_t, mysqld_etc_t, mysqld_exec_t; > type mysqld_tmp_t, mysqld_db_t, mysqld_log_t; > type mysqld_safe_t, mysqlmanagerd_t, mysqlmanagerd_var_run_t; > type mysqld_initrc_exec_t, mysqlmanagerd_initrc_exec_t; > @@ -430,6 +430,8 @@ interface(`mysql_admin',` > role_transition $2 { mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t } system_r; > allow $2 system_r; > > + can_exec($1, mysqld_exec_t) > + > files_search_pids($1) > admin_pattern($1, { mysqlmanagerd_var_run_t mysqld_var_run_t }) > You tested this with userdom_base_user_template(dbadm) or with sysadm_r? I think we may need a mysql_run_mysqld instead? For how i merged this though, thanks ^ permalink raw reply [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH 2/2] Support initial creation of mysql database files 2012-10-31 22:33 ` Dominick Grift @ 2012-11-01 9:03 ` Sven Vermeulen 0 siblings, 0 replies; 6+ messages in thread From: Sven Vermeulen @ 2012-11-01 9:03 UTC (permalink / raw) To: refpolicy On Wed, Oct 31, 2012 at 11:33:07PM +0100, Dominick Grift wrote: > You tested this with userdom_base_user_template(dbadm) or with sysadm_r? With sysadm_r > I think we may need a mysql_run_mysqld instead? You mean, provide him with both mysql_admin and mysql_run_mysqld? I don't see a need (yet) for having a separate mysql_run_mysqld currently. Wkr, Sven Vermeulen ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2012-11-01 9:03 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2012-10-31 21:18 [refpolicy] [PATCH 0/2] Small MySQL updates Sven Vermeulen 2012-10-31 21:18 ` [refpolicy] [PATCH 1/2] Support mysql init script Sven Vermeulen 2012-10-31 22:30 ` Dominick Grift 2012-10-31 21:18 ` [refpolicy] [PATCH 2/2] Support initial creation of mysql database files Sven Vermeulen 2012-10-31 22:33 ` Dominick Grift 2012-11-01 9:03 ` Sven Vermeulen
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.