mysql issues...

[Stephen Smalley]

On Wed, 2004-05-26 at 00:17, Russell Coker wrote:
> Why have mysql_cmd_t instead of just allowing user_t directly?  What is the 
> benefit in having a domain for client access?

Is the client program setgid or setuid presently to give it more
access?  If so, then a separate domain is reasonable.  Regardless, there
is a potential advantage in limiting access to the client program, e.g.
you can ensure that only well-formed messages constructed by the client
program are sent on that socket as opposed to arbitrary data from the
user.  Naturally, it all depends on what you are trying to protect and
what threats you want to counter.

-- 
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency