mysql issues...

Tue Jun 1 13:23:47 UTC 2004

On Thu, 27 May 2004 02:26, Valdis.Kletnieks at vt.edu wrote:
> On Wed, 26 May 2004 14:17:40 +1000, Russell Coker said:
> > How should we determine who gets mysql client access?  Should we have a
> > tunable determining whether we allow userdomain?
>
> That might be a good solution..

OK, I've attached a sample policy file to allow this.  I put it in mysqld.te 
because it goes easiest there.  One advantage of doing it this way is that it 
makes the policy simpler, another is that if an administrator wants to change 
the policy to allow only dba_t instead of all of userdomain then it's a much 
easier change for them.

On Thu, 27 May 2004 02:31, Stephen Smalley <sds at epoch.ncsc.mil> wrote:
> Is the client program setgid or setuid presently to give it more
> access?  If so, then a separate domain is reasonable.  Regardless, there
> is a potential advantage in limiting access to the client program, e.g.
> you can ensure that only well-formed messages constructed by the client
> program are sent on that socket as opposed to arbitrary data from the
> user.  Naturally, it all depends on what you are trying to protect and
> what threats you want to counter.

The client program is not setgid or setuid, it has no special access and 
merely implements the protocol.

Regarding well-formed messages, given that the authors of the client program 
apparently did not design it to be run as a trusted program I don't have any 
great expectations of it's ability to prevent itself from being exploited.  
This combined with the difficulties of a separate domain (redirection of 
stdin/stdout not working as expected etc) makes me believe that it's not 
worth trying such things at this stage.

Maybe at a future time if the MySql developers want to add SE Linux support to 
their database server we could do such things along the way.

PS  There's a lot of other MySql work that needs to be done to make it work on 
Fedora.  A quick test has revealed to me that installing it in enforcing mode 
does not work well.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page
-------------- next part --------------
#DESC Mysqld - Database server
#
# Author:  Russell Coker <russell at coker.com.au>
# X-Debian-Packages: mysql-server
#

#################################
#
# Rules for the mysqld_t domain.
#
# mysqld_exec_t is the type of the mysqld executable.
#
daemon_domain(mysqld)

allow mysqld_t mysqld_var_run_t:sock_file create_file_perms;

etcdir_domain(mysqld)
typealias mysqld_etc_t alias etc_mysqld_t;
type mysqld_db_t, file_type, sysadmfile;

log_domain(mysqld)

allow mysqld_t tmp_t:dir { getattr read };

allow mysqld_t usr_t:file { getattr read };

allow mysqld_t self:fifo_file { read write };
allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
allow initrc_t mysqld_t:unix_stream_socket { connectto };
allow initrc_t mysqld_var_run_t:sock_file write;

allow initrc_t mysqld_log_t:file { write append setattr ioctl };

allow mysqld_t self:capability { setgid setuid };
allow mysqld_t self:process getsched;

allow mysqld_t proc_t:file { getattr read };

# Allow access to the mysqld databases
create_dir_file(mysqld_t, mysqld_db_t)
allow mysqld_t var_lib_t:dir search;

can_network(mysqld_t)

# read config files
r_dir_file(initrc_t, mysqld_etc_t)
allow mysqld_t { etc_t etc_runtime_t }:{ file lnk_file } { read getattr };

allow mysqld_t etc_t:dir search;

allow mysqld_t sysctl_kernel_t:dir search;
allow mysqld_t sysctl_kernel_t:file read;

can_unix_connect(sysadm_t, mysqld_t)

# for /root/.my.cnf - should not be needed
allow mysqld_t sysadm_home_dir_t:dir search;
allow mysqld_t sysadm_home_t:file { read getattr };

ifdef(`logrotate.te', `
r_dir_file(logrotate_t, mysqld_etc_t)
allow logrotate_t mysqld_db_t:dir search;
allow logrotate_t mysqld_var_run_t:dir search;
allow logrotate_t mysqld_var_run_t:sock_file write;
can_unix_connect(logrotate_t, mysqld_t)
')

ifdef(`user_db_connect', `
allow userdomain mysqld_var_run_t:dir search;
allow userdomain mysqld_var_run_t:sock_file write;
')