psss / rpms / selinux-policy

Forked from rpms/selinux-policy 5 years ago
Clone
Source Code
GIT

Files

f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f7 f8 f9 master master-docker master_contrib private-master-atomic-policy private-master-migrate-to-var-lib-selinux requires tests
  1.   master_contrib
  2.   mysql.if
Blob Blame History Raw 
## <summary>Policy for MySQL</summary>

######################################
## <summary>
##	Execute MySQL in the mysql domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`mysql_domtrans',`
	gen_require(`
		type mysqld_t, mysqld_exec_t;
	')

	domtrans_pattern($1, mysqld_exec_t, mysqld_t)
')

######################################
## <summary>
##	Execute MySQL in the caller domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`mysql_exec',`
	gen_require(`
		type  mysqld_exec_t;
	')

	can_exec($1, mysqld_exec_t)
')

########################################
## <summary>
##	Send a generic signal to MySQL.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`mysql_signal',`
	gen_require(`
		type mysqld_t;
	')

	allow $1 mysqld_t:process signal;
')

#######################################
## <summary>
##  Send a null signal to mysql.
## </summary>
## <param name="domain">
##  <summary>
##  Domain allowed access.
##  </summary>
## </param>
#
interface(`mysql_signull',`
    gen_require(`
        type mysqld_t;
    ')

    allow $1 mysqld_t:process signull;
')

########################################
## <summary>
##	Allow the specified domain to connect to postgresql with a tcp socket.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`mysql_tcp_connect',`
	gen_require(`
		type mysqld_t;
	')

	corenet_tcp_recvfrom_labeled($1, mysqld_t)
	corenet_tcp_sendrecv_mysqld_port($1)
	corenet_tcp_connect_mysqld_port($1)
	corenet_sendrecv_mysqld_client_packets($1)
')

########################################
## <summary>
##	Connect to MySQL using a unix domain stream socket.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`mysql_stream_connect',`
	gen_require(`
		type mysqld_t, mysqld_var_run_t, mysqld_db_t;
	')

	files_search_pids($1)
	stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t)
	stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t)
')

########################################
## <summary>
##	Read MySQL configuration files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`mysql_read_config',`
	gen_require(`
		type mysqld_etc_t;
	')

	allow $1 mysqld_etc_t:dir list_dir_perms;
	allow $1 mysqld_etc_t:file read_file_perms;
	allow $1 mysqld_etc_t:lnk_file read_lnk_file_perms;
')

########################################
## <summary>
##	Search the directories that contain MySQL
##	database storage.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
# cjp: "_dir" in the name is added to clarify that this
# is not searching the database itself.
interface(`mysql_search_db',`
	gen_require(`
		type mysqld_db_t;
	')

	files_search_var_lib($1)
	allow $1 mysqld_db_t:dir search_dir_perms;
')

########################################
## <summary>
##	List the directories that contain MySQL
##	database storage.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`mysql_list_db',`
	gen_require(`
		type mysqld_db_t;
	')

	files_search_var_lib($1)
	allow $1 mysqld_db_t:dir list_dir_perms;
')

########################################
## <summary>
##	Read and write to the MySQL database directory.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`mysql_rw_db_dirs',`
	gen_require(`
		type mysqld_db_t;
	')

	files_search_var_lib($1)
	allow $1 mysqld_db_t:dir rw_dir_perms;
')

########################################
## <summary>
##	Create, read, write, and delete MySQL database directories.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`mysql_manage_db_dirs',`
	gen_require(`
		type mysqld_db_t;
	')

	files_search_var_lib($1)
	allow $1 mysqld_db_t:dir manage_dir_perms;
')

#######################################
## <summary>
##	Append to the MySQL database directory.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`mysql_append_db_files',`
	gen_require(`
		type mysqld_db_t;
	')

	files_search_var_lib($1)
	append_files_pattern($1, mysqld_db_t, mysqld_db_t)
')

#######################################
## <summary>
##	Read and write to the MySQL database directory.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`mysql_rw_db_files',`
	gen_require(`
		type mysqld_db_t;
	')

	files_search_var_lib($1)
	rw_files_pattern($1, mysqld_db_t, mysqld_db_t)
')

#######################################
## <summary>
##	Create, read, write, and delete MySQL database files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`mysql_manage_db_files',`
	gen_require(`
		type mysqld_db_t;
	')

	files_search_var_lib($1)
	manage_files_pattern($1, mysqld_db_t, mysqld_db_t)
')

########################################
## <summary>
##	Read and write to the MySQL database
##	named socket.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`mysql_rw_db_sockets',`
	gen_require(`
		type mysqld_db_t;
	')

	files_search_var_lib($1)
	allow $1 mysqld_db_t:dir search_dir_perms;
	allow $1 mysqld_db_t:sock_file rw_sock_file_perms;
')

########################################
## <summary>
##	Write to the MySQL log.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`mysql_write_log',`
	gen_require(`
		type mysqld_log_t;
	')

	logging_search_logs($1)
	allow $1 mysqld_log_t:file { write_file_perms setattr_file_perms };
')

######################################
## <summary>
##	Execute MySQL safe script in the mysql safe domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`mysql_domtrans_mysql_safe',`
	gen_require(`
		type mysqld_safe_t, mysqld_safe_exec_t;
	')

	domtrans_pattern($1, mysqld_safe_exec_t, mysqld_safe_t)
')

######################################
## <summary>
##	Execute MySQL_safe in the caller domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`mysql_safe_exec',`
	gen_require(`
		type  mysqld_safe_exec_t;
	')

	can_exec($1, mysqld_safe_exec_t)
')

#####################################
## <summary>
##	Read MySQL PID files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`mysql_read_pid_files',`
	gen_require(`
		type mysqld_var_run_t;
	')

	mysql_search_pid_files($1)
	read_files_pattern($1, mysqld_var_run_t, mysqld_var_run_t)
')

#####################################
## <summary>
##	Search MySQL PID files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
##
#
interface(`mysql_search_pid_files',`
	gen_require(`
		type mysqld_var_run_t;
	')

	search_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t)
')

########################################
## <summary>
##	Execute mysqld server in the mysqld domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`mysql_systemctl',`
	gen_require(`
		type mysqld_unit_file_t;
		type mysqld_t;
	')

	systemd_exec_systemctl($1)
	allow $1 mysqld_unit_file_t:file read_file_perms;
	allow $1 mysqld_unit_file_t:service manage_service_perms;

	ps_process_pattern($1, mysqld_t)
')

########################################
## <summary>
##	read mysqld homedir content (.k5login)
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`mysql_read_home_content',`
	gen_require(`
		type mysqld_home_t;
	')

	userdom_search_user_home_dirs($1)
	read_files_pattern($1, mysqld_home_t, mysqld_home_t)
')

########################################
## <summary>
##	Transition to mysqld named content
## </summary>
## <param name="domain">
##	<summary>
##      Domain allowed access.
##	</summary>
## </param>
#
interface(`mysql_filetrans_named_content',`
	gen_require(`
		type mysqld_home_t;
	')

	userdom_admin_home_dir_filetrans($1, mysqld_home_t, file, ".my.cnf")
	userdom_user_home_dir_filetrans($1, mysqld_home_t, file, ".my.cnf")
')

########################################
## <summary>
##	All of the rules required to administrate an mysql environment
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	The role to be allowed to manage the mysql domain.
##	</summary>
## </param>
## <rolecap/>
#
interface(`mysql_admin',`
	gen_require(`
		type mysqld_t, mysqld_var_run_t, mysqld_initrc_exec_t;
		type mysqld_tmp_t, mysqld_db_t, mysqld_log_t;
		type mysqld_etc_t;
		type mysqld_home_t;
		type mysqld_unit_file_t;
	')

	allow $1 mysqld_t:process signal_perms;
	ps_process_pattern($1, mysqld_t)
	tunable_policy(`deny_ptrace',`',`
		allow $1 mysqld_t:process ptrace;
	')

	init_labeled_script_domtrans($1, mysqld_initrc_exec_t)
	domain_system_change_exemption($1)
	role_transition $2 mysqld_initrc_exec_t system_r;
	allow $2 system_r;

	files_list_pids($1)
	admin_pattern($1, mysqld_var_run_t)

	admin_pattern($1, mysqld_db_t)

	files_list_etc($1)
	admin_pattern($1, mysqld_etc_t)

	logging_list_logs($1)
	admin_pattern($1, mysqld_log_t)

	files_list_tmp($1)
	admin_pattern($1, mysqld_tmp_t)

	userdom_search_user_home_dirs($1)
	files_list_root($1)
	admin_pattern($1, mysqld_home_t)

	mysql_systemctl($1)
	admin_pattern($1, mysqld_unit_file_t)
	allow $1 mysqld_unit_file_t:service all_service_perms;

	mysql_stream_connect($1)
')
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.