From c691d3d332f4ff00ef1364183d123db7ee63a873 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Oct 14 2012 16:10:09 +0000 Subject: Changes to mysqld policy module Ported from Fedora with changes Signed-off-by: Dominick Grift --- diff --git a/apache.te b/apache.te index 0c64de9..7177a77 100644 --- a/apache.te +++ b/apache.te @@ -1,4 +1,4 @@ -policy_module(apache, 2.5.7) +policy_module(apache, 2.5.8) ######################################## # @@ -803,7 +803,6 @@ optional_policy(` optional_policy(` mysql_read_config(httpd_t) mysql_stream_connect(httpd_t) - mysql_rw_db_sockets(httpd_t) tunable_policy(`httpd_can_network_connect_db',` mysql_tcp_connect(httpd_t) @@ -1026,7 +1025,6 @@ optional_policy(` optional_policy(` mysql_stream_connect(httpd_suexec_t) - mysql_rw_db_sockets(httpd_suexec_t) mysql_read_config(httpd_suexec_t) tunable_policy(`httpd_can_network_connect_db',` @@ -1145,7 +1143,6 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` optional_policy(` mysql_read_config(httpd_script_domains) mysql_stream_connect(httpd_script_domains) - mysql_rw_db_sockets(httpd_script_domains) tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` mysql_tcp_connect(httpd_script_domains) diff --git a/dspam.te b/dspam.te index c7d6a42..5f52340 100644 --- a/dspam.te +++ b/dspam.te @@ -1,4 +1,4 @@ -policy_module(dspam, 1.0.1) +policy_module(dspam, 1.0.2) ######################################## # @@ -71,7 +71,6 @@ optional_policy(` optional_policy(` mysql_stream_connect(dspam_t) - mysql_rw_db_sockets(dspam_t) mysql_read_config(dspam_t) mysql_tcp_connect(dspam_t) diff --git a/exim.te b/exim.te index 76c736b..ed0ed34 100644 --- a/exim.te +++ b/exim.te @@ -1,4 +1,4 @@ -policy_module(exim, 1.5.2) +policy_module(exim, 1.5.3) ######################################## # @@ -38,6 +38,7 @@ init_daemon_domain(exim_t, exim_exec_t) role exim_roles types exim_t; mta_mailserver(exim_t, exim_exec_t) +mta_mailserver_delivery(exim_t) mta_mailserver_user_agent(exim_t) mta_agent_executable(exim_exec_t) @@ -145,7 +146,6 @@ userdom_dontaudit_search_user_home_dirs(exim_t) mta_read_aliases(exim_t) mta_read_config(exim_t) mta_manage_spool(exim_t) -mta_mailserver_delivery(exim_t) tunable_policy(`exim_can_connect_db',` corenet_sendrecv_gds_db_client_packets(exim_t) @@ -166,8 +166,7 @@ tunable_policy(`exim_read_user_files',` tunable_policy(`exim_manage_user_files',` userdom_manage_user_home_content_dirs(exim_t) - userdom_read_user_tmp_files(exim_t) - userdom_write_user_tmp_files(exim_t) + userdom_manage_user_tmp_files(exim_t) ') optional_policy(` @@ -203,7 +202,6 @@ optional_policy(` optional_policy(` tunable_policy(`exim_can_connect_db',` - mysql_rw_db_sockets(exim_t) mysql_stream_connect(exim_t) mysql_tcp_connect(exim_t) ') diff --git a/mysql.fc b/mysql.fc index 6d98be6..be0d44b 100644 --- a/mysql.fc +++ b/mysql.fc @@ -1,5 +1,8 @@ +HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0) + /etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0) /etc/mysql(/.*)? gen_context(system_u:object_r:mysqld_etc_t,s0) + /etc/rc\.d/init\.d/mysqld -- gen_context(system_u:object_r:mysqld_initrc_exec_t,s0) /etc/rc\.d/init\.d/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_initrc_exec_t,s0) @@ -13,9 +16,10 @@ /usr/sbin/ndbd -- gen_context(system_u:object_r:mysqld_exec_t,s0) /var/lib/mysql(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0) -/var/lib/mysql/mysql\.sock -s gen_context(system_u:object_r:mysqld_var_run_t,s0) +/var/lib/mysql/mysql.* -s gen_context(system_u:object_r:mysqld_var_run_t,s0) /var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0) -/var/run/mysqld(/.*)? gen_context(system_u:object_r:mysqld_var_run_t,s0) +/var/run/mysqld.* gen_context(system_u:object_r:mysqld_var_run_t,s0) +/var/run/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0) /var/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0) diff --git a/mysql.if b/mysql.if index e9c0982..06b9a2e 100644 --- a/mysql.if +++ b/mysql.if @@ -1,4 +1,28 @@ -## Policy for MySQL +## Open source database. + +######################################## +## +## Role access for mysql. +## +## +## +## Role allowed access. +## +## +## +## +## User domain for the role. +## +## +# +interface(`mysql_role',` + gen_require(` + type mysqld_home_t; + ') + + allow $2 mysqld_home_t:file { manage_file_perms relabel_file_perms }; + userdom_user_home_dir_filetrans($2, mysqld_home_t, file, ".my.cnf") +') ###################################### ## @@ -15,12 +39,13 @@ interface(`mysql_domtrans',` type mysqld_t, mysqld_exec_t; ') + corecmd_search_bin($1) domtrans_pattern($1, mysqld_exec_t, mysqld_t) ') ######################################## ## -## Send a generic signal to MySQL. +## Send generic signals to mysqld. ## ## ## @@ -38,7 +63,7 @@ interface(`mysql_signal',` ######################################## ## -## Allow the specified domain to connect to postgresql with a tcp socket. +## Connect to mysqld with a tcp socket. ## ## ## @@ -59,7 +84,8 @@ interface(`mysql_tcp_connect',` ######################################## ## -## Connect to MySQL using a unix domain stream socket. +## Connect to mysqld with a unix +# domain stream socket. ## ## ## @@ -73,13 +99,13 @@ interface(`mysql_stream_connect',` type mysqld_t, mysqld_var_run_t, mysqld_db_t; ') - stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t) - stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t) + files_search_pids($1) + stream_connect_pattern($1, { mysqld_db_t mysqld_var_run_t }, mysqld_var_run_t, mysqld_t) ') ######################################## ## -## Read MySQL configuration files. +## Read mysqld configuration content. ## ## ## @@ -93,6 +119,7 @@ interface(`mysql_read_config',` type mysqld_etc_t; ') + files_search_etc($1) allow $1 mysqld_etc_t:dir list_dir_perms; allow $1 mysqld_etc_t:file read_file_perms; allow $1 mysqld_etc_t:lnk_file read_lnk_file_perms; @@ -100,8 +127,7 @@ interface(`mysql_read_config',` ######################################## ## -## Search the directories that contain MySQL -## database storage. +## Search mysqld db directories. ## ## ## @@ -109,8 +135,6 @@ interface(`mysql_read_config',` ## ## # -# cjp: "_dir" in the name is added to clarify that this -# is not searching the database itself. interface(`mysql_search_db',` gen_require(` type mysqld_db_t; @@ -122,7 +146,7 @@ interface(`mysql_search_db',` ######################################## ## -## Read and write to the MySQL database directory. +## Read and write mysqld database directories. ## ## ## @@ -141,7 +165,8 @@ interface(`mysql_rw_db_dirs',` ######################################## ## -## Create, read, write, and delete MySQL database directories. +## Create, read, write, and delete +## mysqld database directories. ## ## ## @@ -160,7 +185,7 @@ interface(`mysql_manage_db_dirs',` ####################################### ## -## Append to the MySQL database directory. +## Append mysqld database files. ## ## ## @@ -179,7 +204,7 @@ interface(`mysql_append_db_files',` ####################################### ## -## Read and write to the MySQL database directory. +## Read and write mysqld database files. ## ## ## @@ -198,7 +223,8 @@ interface(`mysql_rw_db_files',` ####################################### ## -## Create, read, write, and delete MySQL database files. +## Create, read, write, and delete +## mysqld database files. ## ## ## @@ -217,7 +243,7 @@ interface(`mysql_manage_db_files',` ######################################## ## -## Read and write to the MySQL database +## Read and write mysqld database sockets. ## named socket. ## ## @@ -227,18 +253,12 @@ interface(`mysql_manage_db_files',` ## # interface(`mysql_rw_db_sockets',` - gen_require(` - type mysqld_db_t; - ') - - files_search_var_lib($1) - allow $1 mysqld_db_t:dir search_dir_perms; - allow $1 mysqld_db_t:sock_file rw_sock_file_perms; + refpolicywarn(`$0($*) has been deprecated.') ') ######################################## ## -## Write to the MySQL log. +## Write mysqld log files. ## ## ## @@ -252,12 +272,13 @@ interface(`mysql_write_log',` ') logging_search_logs($1) - allow $1 mysqld_log_t:file { write_file_perms setattr }; + allow $1 mysqld_log_t:file write_file_perms; ') ###################################### ## -## Execute MySQL server in the mysql domain. +## Execute mysqld safe in the +## mysqld safe domain. ## ## ## @@ -270,12 +291,13 @@ interface(`mysql_domtrans_mysql_safe',` type mysqld_safe_t, mysqld_safe_exec_t; ') + corecmd_search_bin($1) domtrans_pattern($1, mysqld_safe_exec_t, mysqld_safe_t) ') ##################################### ## -## Read MySQL PID files. +## Read mysqld pid files. ## ## ## @@ -288,13 +310,13 @@ interface(`mysql_read_pid_files',` type mysqld_var_run_t; ') - mysql_search_pid_files($1) + files_search_pids($1) read_files_pattern($1, mysqld_var_run_t, mysqld_var_run_t) ') ##################################### ## -## Search MySQL PID files. +## Search mysqld pid files. ## ## ## @@ -308,12 +330,14 @@ interface(`mysql_search_pid_files',` type mysqld_var_run_t; ') + files_search_pids($1) search_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t) ') ######################################## ## -## All of the rules required to administrate an mysql environment +## All of the rules required to +## administrate an mysqld environment. ## ## ## @@ -322,34 +346,39 @@ interface(`mysql_search_pid_files',` ## ## ## -## The role to be allowed to manage the mysql domain. +## Role allowed access. ## ## ## # interface(`mysql_admin',` gen_require(` - type mysqld_t, mysqld_var_run_t; - type mysqld_tmp_t, mysqld_db_t; - type mysqld_etc_t, mysqld_log_t; - type mysqld_initrc_exec_t; + type mysqld_t, mysqld_var_run_t, mysqld_etc_t; + type mysqld_tmp_t, mysqld_db_t, mysqld_log_t; + type mysqld_safe_t, mysqlmanagerd_t, mysqlmanagerd_var_run_t; + type mysqld_initrc_exec_t, mysqlmanagerd_initrc_exec_t; ') - allow $1 mysqld_t:process { ptrace signal_perms }; - ps_process_pattern($1, mysqld_t) + allow $1 { mysqld_safe_t mysqld_t mysqlmanagerd_t }:process { ptrace signal_perms }; + ps_process_pattern($1, { mysqld_safe_t mysqld_t mysqlmanagerd_t }) - init_labeled_script_domtrans($1, mysqld_initrc_exec_t) + init_labeled_script_domtrans($1, { mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t }) domain_system_change_exemption($1) - role_transition $2 mysqld_initrc_exec_t system_r; + role_transition $2 { mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t } system_r; allow $2 system_r; - admin_pattern($1, mysqld_var_run_t) + files_search_pids($1) + admin_pattern($1, { mysqlmanagerd_var_run_t mysqld_var_run_t }) + files_search_var_lib($1) admin_pattern($1, mysqld_db_t) + files_search_etc($1) admin_pattern($1, mysqld_etc_t) + logging_search_logs($1) admin_pattern($1, mysqld_log_t) + files_search_tmp($1) admin_pattern($1, mysqld_tmp_t) ') diff --git a/mysql.te b/mysql.te index 043cdb0..c7b2d53 100644 --- a/mysql.te +++ b/mysql.te @@ -1,4 +1,4 @@ -policy_module(mysql, 1.13.1) +policy_module(mysql, 1.13.2) ######################################## # @@ -6,9 +6,10 @@ policy_module(mysql, 1.13.1) # ## -##

-## Allow mysqld to connect to all ports -##

+##

+## Determine whether mysqld can +## connect to all TCP ports. +##

## gen_tunable(mysql_connect_any, false) @@ -30,6 +31,9 @@ files_type(mysqld_db_t) type mysqld_etc_t alias etc_mysqld_t; files_config_file(mysqld_etc_t) +type mysqld_home_t; +userdom_user_home_content(mysqld_home_t) + type mysqld_initrc_exec_t; init_script_file(mysqld_initrc_exec_t) @@ -59,61 +63,62 @@ dontaudit mysqld_t self:capability sys_tty_config; allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh }; allow mysqld_t self:fifo_file rw_fifo_file_perms; allow mysqld_t self:shm create_shm_perms; -allow mysqld_t self:unix_stream_socket create_stream_socket_perms; -allow mysqld_t self:tcp_socket create_stream_socket_perms; -allow mysqld_t self:udp_socket create_socket_perms; +allow mysqld_t self:unix_stream_socket { accept listen }; +allow mysqld_t self:tcp_socket { accept listen }; manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file }) -allow mysqld_t mysqld_etc_t:file read_file_perms; -allow mysqld_t mysqld_etc_t:lnk_file { getattr read }; +filetrans_pattern(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file) + allow mysqld_t mysqld_etc_t:dir list_dir_perms; +allow mysqld_t { mysqld_etc_t mysqld_home_t }:file read_file_perms; +allow mysqld_t mysqld_etc_t:lnk_file read_lnk_file_perms; -allow mysqld_t mysqld_log_t:file manage_file_perms; +allow mysqld_t mysqld_log_t:file { append_file_perms create_file_perms setattr_file_perms }; logging_log_filetrans(mysqld_t, mysqld_log_t, file) manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir }) +manage_dirs_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) -files_pid_filetrans(mysqld_t, mysqld_var_run_t, { file sock_file }) +files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file }) -kernel_read_system_state(mysqld_t) kernel_read_kernel_sysctls(mysqld_t) +kernel_read_network_state(mysqld_t) +kernel_read_system_state(mysqld_t) corenet_all_recvfrom_unlabeled(mysqld_t) corenet_all_recvfrom_netlabel(mysqld_t) corenet_tcp_sendrecv_generic_if(mysqld_t) -corenet_udp_sendrecv_generic_if(mysqld_t) corenet_tcp_sendrecv_generic_node(mysqld_t) -corenet_udp_sendrecv_generic_node(mysqld_t) -corenet_tcp_sendrecv_all_ports(mysqld_t) -corenet_udp_sendrecv_all_ports(mysqld_t) corenet_tcp_bind_generic_node(mysqld_t) + +corenet_sendrecv_mysqld_server_packets(mysqld_t) corenet_tcp_bind_mysqld_port(mysqld_t) -corenet_tcp_connect_mysqld_port(mysqld_t) corenet_sendrecv_mysqld_client_packets(mysqld_t) -corenet_sendrecv_mysqld_server_packets(mysqld_t) +corenet_tcp_connect_mysqld_port(mysqld_t) +corenet_tcp_sendrecv_mysqld_port(mysqld_t) + +corecmd_exec_bin(mysqld_t) +corecmd_exec_shell(mysqld_t) dev_read_sysfs(mysqld_t) dev_read_urand(mysqld_t) +domain_use_interactive_fds(mysqld_t) + fs_getattr_all_fs(mysqld_t) fs_search_auto_mountpoints(mysqld_t) fs_rw_hugetlbfs_files(mysqld_t) -domain_use_interactive_fds(mysqld_t) - -files_getattr_var_lib_dirs(mysqld_t) files_read_etc_runtime_files(mysqld_t) -files_read_etc_files(mysqld_t) files_read_usr_files(mysqld_t) -files_search_var_lib(mysqld_t) auth_use_nsswitch(mysqld_t) @@ -121,20 +126,13 @@ logging_send_syslog_msg(mysqld_t) miscfiles_read_localization(mysqld_t) -sysnet_read_config(mysqld_t) - +userdom_search_user_home_dirs(mysqld_t) userdom_dontaudit_use_unpriv_user_fds(mysqld_t) -# for /root/.my.cnf - should not be needed: -userdom_read_user_home_content_files(mysqld_t) - -ifdef(`distro_redhat',` - # because Fedora has the sock_file in the database directory - type_transition mysqld_t mysqld_db_t:sock_file mysqld_var_run_t; -') tunable_policy(`mysql_connect_any',` - corenet_tcp_connect_all_ports(mysqld_t) corenet_sendrecv_all_client_packets(mysqld_t) + corenet_tcp_connect_all_ports(mysqld_t) + corenet_tcp_sendrecv_all_ports(mysqld_t) ') optional_policy(` @@ -151,26 +149,35 @@ optional_policy(` ####################################### # -# Local mysqld_safe policy +# Safe local policy # allow mysqld_safe_t self:capability { chown dac_override fowner kill }; -dontaudit mysqld_safe_t self:capability sys_ptrace; +allow mysqld_safe_t self:process { setsched getsched setrlimit }; allow mysqld_safe_t self:fifo_file rw_fifo_file_perms; +allow mysqld_safe_t mysqld_t:process signull; + read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t) +manage_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t) -domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t) +allow mysqld_safe_t mysqld_etc_t:dir list_dir_perms; +allow mysqld_safe_t { mysqld_etc_t mysqld_home_t }:file read_file_perms; +allow mysqld_safe_t mysqld_etc_t:lnk_file read_lnk_file_perms; -allow mysqld_safe_t mysqld_log_t:file manage_file_perms; +allow mysqld_safe_t mysqld_log_t:file { append_file_perms create_file_perms setattr_file_perms }; +logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t) -delete_sock_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t) +delete_sock_files_pattern(mysqld_safe_t, { mysqld_db_t mysqld_var_run_t }, mysqld_var_run_t) + +domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t) kernel_read_system_state(mysqld_safe_t) kernel_read_kernel_sysctls(mysqld_safe_t) corecmd_exec_bin(mysqld_safe_t) +corecmd_exec_shell(mysqld_safe_t) dev_list_sysfs(mysqld_safe_t) @@ -178,22 +185,23 @@ domain_read_all_domains_state(mysqld_safe_t) files_read_etc_files(mysqld_safe_t) files_read_usr_files(mysqld_safe_t) +files_search_pids(mysqld_safe_t) files_dontaudit_getattr_all_dirs(mysqld_safe_t) +files_dontaudit_search_all_mountpoints(mysqld_safe_t) -logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) - -hostname_exec(mysqld_safe_t) +logging_send_syslog_msg(mysqld_safe_t) miscfiles_read_localization(mysqld_safe_t) -mysql_manage_db_files(mysqld_safe_t) -mysql_read_config(mysqld_safe_t) -mysql_search_pid_files(mysqld_safe_t) -mysql_write_log(mysqld_safe_t) +userdom_search_user_home_dirs(mysqld_safe_t) + +optional_policy(` + hostname_exec(mysqld_safe_t) +') ######################################## # -# MySQL Manager Policy +# Manager local policy # allow mysqlmanagerd_t self:capability { dac_override kill }; @@ -202,12 +210,11 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms; allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms; allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms; -mysql_read_config(initrc_t) -mysql_read_config(mysqlmanagerd_t) -mysql_read_pid_files(mysqlmanagerd_t) -mysql_search_db(mysqlmanagerd_t) -mysql_signal(mysqlmanagerd_t) -mysql_stream_connect(mysqlmanagerd_t) +allow mysqlmanagerd_t mysqld_t:process signal; + +allow mysqlmanagerd_t mysqld_etc_t:dir list_dir_perms; +allow mysqlmanagerd_t { mysqld_etc_t mysqld_home_t }:file read_file_perms; +allow mysqlmanagerd_t mysqld_etc_t:lnk_file read_lnk_file_perms; domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t) @@ -215,6 +222,8 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file }) +stream_connect_pattern(mysqlmanagerd_t, { mysqld_db_t mysqld_var_run_t }, mysqld_var_run_t, mysqld_t) + kernel_read_system_state(mysqlmanagerd_t) corecmd_exec_shell(mysqlmanagerd_t) @@ -223,18 +232,21 @@ corenet_all_recvfrom_unlabeled(mysqlmanagerd_t) corenet_all_recvfrom_netlabel(mysqlmanagerd_t) corenet_tcp_sendrecv_generic_if(mysqlmanagerd_t) corenet_tcp_sendrecv_generic_node(mysqlmanagerd_t) -corenet_tcp_sendrecv_all_ports(mysqlmanagerd_t) corenet_tcp_bind_generic_node(mysqlmanagerd_t) -corenet_tcp_bind_mysqlmanagerd_port(mysqlmanagerd_t) -corenet_tcp_connect_mysqlmanagerd_port(mysqlmanagerd_t) + corenet_sendrecv_mysqlmanagerd_server_packets(mysqlmanagerd_t) +corenet_tcp_bind_mysqlmanagerd_port(mysqlmanagerd_t) corenet_sendrecv_mysqlmanagerd_client_packets(mysqlmanagerd_t) +corenet_tcp_connect_mysqlmanagerd_port(mysqlmanagerd_t) +corenet_tcp_sendrecv_mysqlmanagerd_port(mysqlmanagerd_t) dev_read_urand(mysqlmanagerd_t) files_read_etc_files(mysqlmanagerd_t) files_read_usr_files(mysqlmanagerd_t) +files_search_pids(mysqlmanagerd_t) +files_search_var_lib(mysqlmanagerd_t) miscfiles_read_localization(mysqlmanagerd_t) -userdom_getattr_user_home_dirs(mysqlmanagerd_t) +userdom_search_user_home_dirs(mysqlmanagerd_t) diff --git a/quantum.te b/quantum.te index 47ef473..769d1fd 100644 --- a/quantum.te +++ b/quantum.te @@ -1,4 +1,4 @@ -policy_module(quantum, 1.0.1) +policy_module(quantum, 1.0.2) ######################################## # @@ -83,7 +83,6 @@ optional_policy(` optional_policy(` mysql_stream_connect(quantum_t) - mysql_rw_db_sockets(quantum_t) mysql_read_config(quantum_t) mysql_tcp_connect(quantum_t)