gentoo diff for mysqld

gentoo diff for mysqld

[petre rodan]

[-- Attachment #1.1: Type: text/plain, Size: 268 bytes --]

Hi!

attached you'll find a diff for the mysql policy.
you might want to use the tmp_domain() for other distros as well (see the reference)

reference:
http://bugs.gentoo.org/show_bug.cgi?id=48772

-- 
petre rodan
<kaiowas@gentoo.org>
Developer,
Hardened Gentoo Linux

[-- Attachment #1.2: mysql.diff --]
[-- Type: text/plain, Size: 1815 bytes --]

--- /root/public_html/policy/nsa/file_contexts/program/mysqld.fc	2004-08-22 16:20:06.000000000 +0300
+++ /etc/security/selinux/src/policy/file_contexts/program/mysqld.fc	2004-10-05 04:36:41.722539464 +0300
@@ -3,7 +3,7 @@
 /usr/libexec/mysqld	--	system_u:object_r:mysqld_exec_t
 /var/run/mysqld(/.*)?		system_u:object_r:mysqld_var_run_t
 /var/log/mysql.*	--	system_u:object_r:mysqld_log_t
-/var/lib/mysql(/.*)?		system_u:object_r:mysqld_db_t
+/var/lib(64)?/mysql(/.*)?	system_u:object_r:mysqld_db_t
 /var/lib/mysql/mysql.sock -s	system_u:object_r:mysqld_var_run_t
 /etc/my\.cnf		--	system_u:object_r:mysqld_etc_t
 /etc/mysql(/.*)?		system_u:object_r:mysqld_etc_t
--- /root/public_html/policy/nsa/domains/program/unused/mysqld.te	2004-08-30 23:35:32.000000000 +0300
+++ /etc/security/selinux/src/policy/domains/program/mysqld.te	2004-10-05 04:46:34.766383096 +0300
@@ -57,10 +57,6 @@
 
 can_unix_connect(sysadm_t, mysqld_t)
 
-# for /root/.my.cnf - should not be needed
-allow mysqld_t sysadm_home_dir_t:dir search;
-allow mysqld_t sysadm_home_t:file { read getattr };
-
 ifdef(`logrotate.te', `
 r_dir_file(logrotate_t, mysqld_etc_t)
 allow logrotate_t mysqld_db_t:dir search;
@@ -80,3 +76,20 @@
 # because Fedora has the sock_file in the database directory
 file_type_auto_trans(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file)
 ')
+
+ifdef(`distro_gentoo', `
+# temporary tables (#sql prefix)
+tmp_domain(mysqld)
+
+# if controled by daemontools
+ifdef(`daemontools.te', `
+domain_auto_trans( svc_run_t, mysqld_exec_t, mysqld_t)
+allow svc_start_t mysqld_t:process signal;
+svc_ipc_domain(mysqld_t)
+')dnl end ifdef daemontools
+',`
+# for /root/.my.cnf - should not be needed
+allow mysqld_t sysadm_home_dir_t:dir search;
+allow mysqld_t sysadm_home_t:file { read getattr };
+')dnl end ifdef distro_gentoo
+ 

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 252 bytes --]

Re: gentoo diff for mysqld

[Valdis.Kletnieks]

[-- Attachment #1: Type: text/plain, Size: 284 bytes --]

On Tue, 05 Oct 2004 11:29:40 +0300, petre rodan said:

> attached you'll find a diff for the mysql policy.

> -/var/lib/mysql(/.*)?		system_u:object_r:mysqld_db_t
> +/var/lib(64)?/mysql(/.*)?	system_u:object_r:mysqld_db_t

Is the database likely to actually be in /var/lib64/mysql/*?

[-- Attachment #2: Type: application/pgp-signature, Size: 226 bytes --]

Re: gentoo diff for mysqld

[petre rodan]

[-- Attachment #1: Type: text/plain, Size: 556 bytes --]


Hi!

Valdis.Kletnieks@vt.edu wrote:
> On Tue, 05 Oct 2004 11:29:40 +0300, petre rodan said:
>>attached you'll find a diff for the mysql policy.
> 
> 
>>-/var/lib/mysql(/.*)?		system_u:object_r:mysqld_db_t
>>+/var/lib(64)?/mysql(/.*)?	system_u:object_r:mysqld_db_t
> 
> 
> Is the database likely to actually be in /var/lib64/mysql/*?

indeed the fc diff is not needed.
after talking with amd64 maintainers, it looks like the '/var/lib(64)?' is not a gentoo requirement.

thanks,
peter

-- 
petre rodan
<kaiowas@gentoo.org>
Developer,
Hardened Gentoo Linux

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 252 bytes --]

Re: gentoo diff for mysqld

[Erich Schubert]

Hi,

> +# if controled by daemontools
> +ifdef(`daemontools.te', `
> +domain_auto_trans( svc_run_t, mysqld_exec_t, mysqld_t)
> +allow svc_start_t mysqld_t:process signal;
> +svc_ipc_domain(mysqld_t)
> +')dnl end ifdef daemontools

I think the "deamontools.te" ifdef is enough, why put this into the
"gentoo" ifdef, too?
Please don't use distro-ifdefs unneccessarily. Basically anything being
in {FHS,upstream,best-practice} should be outside of such ifdefs.
Only things dependant on non-generic domains or non-standard behaviour -
for example the gentoo init - should be wrapped IMHO.

Greetings,
Erich Schubert
-- 
    erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C    (o_
  A polar bear is a rectangular bear after a coordinate transform.   //\
        Glück gleicht durch Höhe aus, was ihm an Länge fehlt.        V_/_
                        --- Robert Lee Frost



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: gentoo diff for mysqld

[petre rodan]

[-- Attachment #1.1: Type: text/plain, Size: 1013 bytes --]


Hi,

Erich Schubert wrote:
> Hi,
> 
> 
>>+# if controled by daemontools
>>+ifdef(`daemontools.te', `
>>+domain_auto_trans( svc_run_t, mysqld_exec_t, mysqld_t)
>>+allow svc_start_t mysqld_t:process signal;
>>+svc_ipc_domain(mysqld_t)
>>+')dnl end ifdef daemontools
> 
> 
> I think the "deamontools.te" ifdef is enough, why put this into the
> "gentoo" ifdef, too?
> Please don't use distro-ifdefs unneccessarily. Basically anything being
> in {FHS,upstream,best-practice} should be outside of such ifdefs.
> Only things dependant on non-generic domains or non-standard behaviour -
> for example the gentoo init - should be wrapped IMHO.

I'm glad you think this way.
Here is a new patch with no distro_gentoo ifdefs.
Also can someone please tell me when is that 'allow mysqld_t sysadm_home_t:file { read getattr };' needed?
I have never felt the need for that rule and I'd be happy to see it go.

> Greetings,
> Erich Schubert

thanks,
peter

-- 
petre rodan
<kaiowas@gentoo.org>
Developer,
Hardened Gentoo Linux

[-- Attachment #1.2: mysql.diff --]
[-- Type: text/plain, Size: 1032 bytes --]

--- /root/public_html/policy/nsa/domains/program/unused/mysqld.te	2004-08-30 23:35:32.000000000 +0300
+++ /etc/security/selinux/src/policy/domains/program/mysqld.te	2004-10-06 04:36:23.704673096 +0300
@@ -23,7 +23,8 @@
 
 log_domain(mysqld)
 
-allow mysqld_t tmp_t:dir { getattr read };
+# for temporary tables
+tmp_domain(mysqld)
 
 allow mysqld_t usr_t:file { getattr read };
 
@@ -57,10 +58,6 @@
 
 can_unix_connect(sysadm_t, mysqld_t)
 
-# for /root/.my.cnf - should not be needed
-allow mysqld_t sysadm_home_dir_t:dir search;
-allow mysqld_t sysadm_home_t:file { read getattr };
-
 ifdef(`logrotate.te', `
 r_dir_file(logrotate_t, mysqld_etc_t)
 allow logrotate_t mysqld_db_t:dir search;
@@ -74,6 +71,12 @@
 allow userdomain mysqld_var_run_t:sock_file write;
 ')
 
+ifdef(`daemontools.te', `
+domain_auto_trans( svc_run_t, mysqld_exec_t, mysqld_t)
+allow svc_start_t mysqld_t:process signal;
+svc_ipc_domain(mysqld_t)
+')dnl end ifdef daemontools
+
 ifdef(`distro_redhat', `
 allow initrc_t mysqld_db_t:dir create_dir_perms;
 

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 252 bytes --]

Re: gentoo diff for mysqld

[Russell Coker]

On Wed, 6 Oct 2004 20:55, petre rodan <kaiowas@gentoo.org> wrote:
> Here is a new patch with no distro_gentoo ifdefs.
> Also can someone please tell me when is that 'allow mysqld_t
> sysadm_home_t:file { read getattr };' needed? I have never felt the need
> for that rule and I'd be happy to see it go.

The start command for mysqld reads the file /root/.my.cnf , or used to at 
least.  Has it changed?

I've merged the tmp_domain and daemontools bits into my tree.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: gentoo diff for mysqld

[James Carter]

I have merged the tmp_domain and daemontools chunks into CVS.

On Thu, 2004-10-07 at 02:48, Russell Coker wrote:
> On Wed, 6 Oct 2004 20:55, petre rodan <kaiowas@gentoo.org> wrote:
> > Here is a new patch with no distro_gentoo ifdefs.
> > Also can someone please tell me when is that 'allow mysqld_t
> > sysadm_home_t:file { read getattr };' needed? I have never felt the need
> > for that rule and I'd be happy to see it go.
> 
> The start command for mysqld reads the file /root/.my.cnf , or used to at 
> least.  Has it changed?
> 
> I've merged the tmp_domain and daemontools bits into my tree.
-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.