From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 70992138010 for ; Fri, 2 Nov 2012 19:10:11 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id C7DA521C0B5; Fri, 2 Nov 2012 19:09:32 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 0628321C0B2 for ; Fri, 2 Nov 2012 19:09:31 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 07C4833D81A for ; Fri, 2 Nov 2012 19:09:31 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id B0868E5451 for ; Fri, 2 Nov 2012 19:09:28 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1351883212.cc2948189ecfbaf28cb8979a9c2835eec7a1f905.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/mysql.if X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: cc2948189ecfbaf28cb8979a9c2835eec7a1f905 X-VCS-Branch: master Date: Fri, 2 Nov 2012 19:09:28 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 56a8d5fe-feba-4b50-bdb6-d7236405c592 X-Archives-Hash: 16f83b4cb357c131a057adae602154b6 commit: cc2948189ecfbaf28cb8979a9c2835eec7a1f905 Author: Sven Vermeulen siphos be> AuthorDate: Fri Nov 2 19:06:52 2012 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Fri Nov 2 19:06:52 2012 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=cc294818 Reshuffle gento specific mysql code --- policy/modules/contrib/mysql.if | 98 +++++++++++++++++++------------------- 1 files changed, 49 insertions(+), 49 deletions(-) diff --git a/policy/modules/contrib/mysql.if b/policy/modules/contrib/mysql.if index 1c038dc..66a1dca 100644 --- a/policy/modules/contrib/mysql.if +++ b/policy/modules/contrib/mysql.if @@ -397,6 +397,55 @@ interface(`mysql_search_pid_files',` search_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t) ') +######################################## +## +## All of the rules required to +## administrate an mysqld environment. +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`mysql_admin',` + gen_require(` + type mysqld_t, mysqld_var_run_t, mysqld_etc_t; + type mysqld_tmp_t, mysqld_db_t, mysqld_log_t; + type mysqld_safe_t, mysqlmanagerd_t, mysqlmanagerd_var_run_t; + type mysqld_initrc_exec_t, mysqlmanagerd_initrc_exec_t; + ') + + allow $1 { mysqld_safe_t mysqld_t mysqlmanagerd_t }:process { ptrace signal_perms }; + ps_process_pattern($1, { mysqld_safe_t mysqld_t mysqlmanagerd_t }) + + init_labeled_script_domtrans($1, { mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t }) + domain_system_change_exemption($1) + role_transition $2 { mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t } system_r; + allow $2 system_r; + + files_search_pids($1) + admin_pattern($1, { mysqlmanagerd_var_run_t mysqld_var_run_t }) + + files_search_var_lib($1) + admin_pattern($1, mysqld_db_t) + + files_search_etc($1) + admin_pattern($1, mysqld_etc_t) + + logging_search_logs($1) + admin_pattern($1, mysqld_log_t) + + files_search_tmp($1) + admin_pattern($1, mysqld_tmp_t) +') + ####################################### ## ## Set the attributes of the MySQL run directories @@ -459,52 +508,3 @@ interface(`mysql_create_run_dirs',` interface(`mysql_generic_run_filetrans_run',` refpolicywarn(`$0($*) has been deprecated.') ') - -######################################## -## -## All of the rules required to -## administrate an mysql environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`mysql_admin',` - gen_require(` - type mysqld_t, mysqld_var_run_t, mysqld_etc_t; - type mysqld_tmp_t, mysqld_db_t, mysqld_log_t; - type mysqld_safe_t, mysqlmanagerd_t, mysqlmanagerd_var_run_t; - type mysqld_initrc_exec_t, mysqlmanagerd_initrc_exec_t; - ') - - allow $1 { mysqld_safe_t mysqld_t mysqlmanagerd_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { mysqld_safe_t mysqld_t mysqlmanagerd_t }) - - init_labeled_script_domtrans($1, { mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t }) - domain_system_change_exemption($1) - role_transition $2 { mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t } system_r; - allow $2 system_r; - - files_search_pids($1) - admin_pattern($1, { mysqlmanagerd_var_run_t mysqld_var_run_t }) - - files_search_var_lib($1) - admin_pattern($1, mysqld_db_t) - - files_search_etc($1) - admin_pattern($1, mysqld_etc_t) - - logging_search_logs($1) - admin_pattern($1, mysqld_log_t) - - files_search_tmp($1) - admin_pattern($1, mysqld_tmp_t) -')