SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Skip Research Menus

Research Menu

Research Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List Re: gentoo diff for mysqld This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ In reply to ] [ Next in thread ] [ Replies ] From: petre rodan <kaiowas_at_gentoo.org> Date: Wed, 06 Oct 2004 13:55:09 +0300 Hi, Erich Schubert wrote: > Hi, > > >>+# if controled by daemontools >>+ifdef(`daemontools.te', ` >>+domain_auto_trans( svc_run_t, mysqld_exec_t, mysqld_t) >>+allow svc_start_t mysqld_t:process signal; >>+svc_ipc_domain(mysqld_t) >>+')dnl end ifdef daemontools > > > I think the "deamontools.te" ifdef is enough, why put this into the > "gentoo" ifdef, too? > Please don't use distro-ifdefs unneccessarily. Basically anything being > in {FHS,upstream,best-practice} should be outside of such ifdefs. > Only things dependant on non-generic domains or non-standard behaviour - > for example the gentoo init - should be wrapped IMHO. I'm glad you think this way. Here is a new patch with no distro_gentoo ifdefs. Also can someone please tell me when is that 'allow mysqld_t sysadm_home_t:file { read getattr };' needed? I have never felt the need for that rule and I'd be happy to see it go. > Greetings, > Erich Schubert thanks, peter -- petre rodan <kaiowas@gentoo.org> Developer, Hardened Gentoo Linux --- /root/public_html/policy/nsa/domains/program/unused/mysqld.te 2004-08-30 23:35:32.000000000 +0300 +++ /etc/security/selinux/src/policy/domains/program/mysqld.te 2004-10-06 04:36:23.704673096 +0300 @@ -23,7 +23,8 @@ log_domain(mysqld) -allow mysqld_t tmp_t:dir { getattr read }; +# for temporary tables +tmp_domain(mysqld) allow mysqld_t usr_t:file { getattr read }; @@ -57,10 +58,6 @@ can_unix_connect(sysadm_t, mysqld_t) -# for /root/.my.cnf - should not be needed -allow mysqld_t sysadm_home_dir_t:dir search; -allow mysqld_t sysadm_home_t:file { read getattr }; - ifdef(`logrotate.te', ` r_dir_file(logrotate_t, mysqld_etc_t) allow logrotate_t mysqld_db_t:dir search; @@ -74,6 +71,12 @@ allow userdomain mysqld_var_run_t:sock_file write; ') +ifdef(`daemontools.te', ` +domain_auto_trans( svc_run_t, mysqld_exec_t, mysqld_t) +allow svc_start_t mysqld_t:process signal; +svc_ipc_domain(mysqld_t) +')dnl end ifdef daemontools + ifdef(`distro_redhat', ` allow initrc_t mysqld_db_t:dir create_dir_perms; -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. application/pgp-signature attachment: OpenPGP digital signature Received on Wed 6 Oct 2004 - 06:54:48 EDT This message: [ Message body ] Next message: Erich Schubert: "Re: policy patches" Previous message: petre rodan: "Re: gentoo diff for ntpd" In reply to: Erich Schubert: "Re: gentoo diff for mysqld" Next in thread: Russell Coker: "Re: gentoo diff for mysqld" Reply: Russell Coker: "Re: gentoo diff for mysqld" Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom