From: petre rodan <kaiowas@gentoo.org>
To: Erich Schubert <erich@debian.org>
Cc: selinux@tycho.nsa.gov
Subject: Re: gentoo diff for mysqld
Date: Wed, 06 Oct 2004 13:55:09 +0300 [thread overview]
Message-ID: <4163CF0D.4070201@gentoo.org> (raw)
In-Reply-To: <1097001016.15549.4.camel@wintermute.xmldesign.de>
[-- Attachment #1.1: Type: text/plain, Size: 1013 bytes --]
Hi,
Erich Schubert wrote:
> Hi,
>
>
>>+# if controled by daemontools
>>+ifdef(`daemontools.te', `
>>+domain_auto_trans( svc_run_t, mysqld_exec_t, mysqld_t)
>>+allow svc_start_t mysqld_t:process signal;
>>+svc_ipc_domain(mysqld_t)
>>+')dnl end ifdef daemontools
>
>
> I think the "deamontools.te" ifdef is enough, why put this into the
> "gentoo" ifdef, too?
> Please don't use distro-ifdefs unneccessarily. Basically anything being
> in {FHS,upstream,best-practice} should be outside of such ifdefs.
> Only things dependant on non-generic domains or non-standard behaviour -
> for example the gentoo init - should be wrapped IMHO.
I'm glad you think this way.
Here is a new patch with no distro_gentoo ifdefs.
Also can someone please tell me when is that 'allow mysqld_t sysadm_home_t:file { read getattr };' needed?
I have never felt the need for that rule and I'd be happy to see it go.
> Greetings,
> Erich Schubert
thanks,
peter
--
petre rodan
<kaiowas@gentoo.org>
Developer,
Hardened Gentoo Linux
[-- Attachment #1.2: mysql.diff --]
[-- Type: text/plain, Size: 1032 bytes --]
--- /root/public_html/policy/nsa/domains/program/unused/mysqld.te 2004-08-30 23:35:32.000000000 +0300
+++ /etc/security/selinux/src/policy/domains/program/mysqld.te 2004-10-06 04:36:23.704673096 +0300
@@ -23,7 +23,8 @@
log_domain(mysqld)
-allow mysqld_t tmp_t:dir { getattr read };
+# for temporary tables
+tmp_domain(mysqld)
allow mysqld_t usr_t:file { getattr read };
@@ -57,10 +58,6 @@
can_unix_connect(sysadm_t, mysqld_t)
-# for /root/.my.cnf - should not be needed
-allow mysqld_t sysadm_home_dir_t:dir search;
-allow mysqld_t sysadm_home_t:file { read getattr };
-
ifdef(`logrotate.te', `
r_dir_file(logrotate_t, mysqld_etc_t)
allow logrotate_t mysqld_db_t:dir search;
@@ -74,6 +71,12 @@
allow userdomain mysqld_var_run_t:sock_file write;
')
+ifdef(`daemontools.te', `
+domain_auto_trans( svc_run_t, mysqld_exec_t, mysqld_t)
+allow svc_start_t mysqld_t:process signal;
+svc_ipc_domain(mysqld_t)
+')dnl end ifdef daemontools
+
ifdef(`distro_redhat', `
allow initrc_t mysqld_db_t:dir create_dir_perms;
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 252 bytes --]
next prev parent reply other threads:[~2004-10-06 10:54 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-10-05 8:29 gentoo diff for mysqld petre rodan
2004-10-05 17:19 ` Valdis.Kletnieks
2004-10-05 17:35 ` petre rodan
2004-10-05 18:30 ` Erich Schubert
2004-10-06 10:55 ` petre rodan [this message]
2004-10-07 6:48 ` Russell Coker
2004-10-08 17:58 ` James Carter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4163CF0D.4070201@gentoo.org \
--to=kaiowas@gentoo.org \
--cc=erich@debian.org \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.