Re: mysql issues...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 26 May 2004 14:17:40 +1000, Russell Coker said:

> How should we determine who gets mysql client access?  Should we have a 
> tunable determining whether we allow userdomain?

That might be a good solution.. 

> Why have mysql_cmd_t instead of just allowing user_t directly?  What is the 
> benefit in having a domain for client access?

Thinko on my part - I invented the cmd_t because I'd been fighting various
issues for about 14 hours at that point, and didn't parse through mysqld.te,
apache.te, and mysqld.fc sufficiently to realize that the var_run_t was
identical in semantics (somehow, I was convince that var_run_t included
something I didn't want in cmd_t, but that was wrong).

How do people feel about the attached patch to add a tunable?
--- macros/user_macros.te.dist	2004-05-11 11:03:38.000000000 -0400
+++ macros/user_macros.te	2004-05-26 12:22:18.852047888 -0400
@@ -242,6 +242,14 @@
 r_dir_file($1_t, mnt_t)
 ')
 
+ifdef(`user_mysql',`
+#
+# Allow users to access the mysql socket
+#
+allow $1_t mysqld_var_run_t:dir search;
+allow $1_t mysqld_var_run_t:sock_file write;
+')
+
 #
 # Rules used to associate a homedir as a mountpoint
 #
--- tunable.te.dist	2004-05-11 11:03:38.000000000 -0400
+++ tunable.te	2004-05-26 12:19:33.221383912 -0400
@@ -99,3 +99,6 @@
 
 # Allow user to rw usb devices
 define(`user_rw_usb')
+
+# Allow users to access mysql
+define(`user_mysql')

Attachment: pgpwIhx1RwRUS.pgp
Description: PGP signature


[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux