mysql issues...
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Wed May 26 16:26:01 UTC 2004
On Wed, 26 May 2004 14:17:40 +1000, Russell Coker said:
> How should we determine who gets mysql client access? Should we have a
> tunable determining whether we allow userdomain?
That might be a good solution..
> Why have mysql_cmd_t instead of just allowing user_t directly? What is the
> benefit in having a domain for client access?
Thinko on my part - I invented the cmd_t because I'd been fighting various
issues for about 14 hours at that point, and didn't parse through mysqld.te,
apache.te, and mysqld.fc sufficiently to realize that the var_run_t was
identical in semantics (somehow, I was convince that var_run_t included
something I didn't want in cmd_t, but that was wrong).
How do people feel about the attached patch to add a tunable?
-------------- next part --------------
--- macros/user_macros.te.dist 2004-05-11 11:03:38.000000000 -0400
+++ macros/user_macros.te 2004-05-26 12:22:18.852047888 -0400
@@ -242,6 +242,14 @@
r_dir_file($1_t, mnt_t)
')
+ifdef(`user_mysql',`
+#
+# Allow users to access the mysql socket
+#
+allow $1_t mysqld_var_run_t:dir search;
+allow $1_t mysqld_var_run_t:sock_file write;
+')
+
#
# Rules used to associate a homedir as a mountpoint
#
--- tunable.te.dist 2004-05-11 11:03:38.000000000 -0400
+++ tunable.te 2004-05-26 12:19:33.221383912 -0400
@@ -99,3 +99,6 @@
# Allow user to rw usb devices
define(`user_rw_usb')
+
+# Allow users to access mysql
+define(`user_mysql')
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20040526/cbdbf648/attachment.sig>
More information about the fedora-selinux-list
mailing list