On Wed, 26 May 2004 14:17:40 +1000, Russell Coker said: > How should we determine who gets mysql client access? Should we have a > tunable determining whether we allow userdomain? That might be a good solution.. > Why have mysql_cmd_t instead of just allowing user_t directly? What is the > benefit in having a domain for client access? Thinko on my part - I invented the cmd_t because I'd been fighting various issues for about 14 hours at that point, and didn't parse through mysqld.te, apache.te, and mysqld.fc sufficiently to realize that the var_run_t was identical in semantics (somehow, I was convince that var_run_t included something I didn't want in cmd_t, but that was wrong). How do people feel about the attached patch to add a tunable?
--- macros/user_macros.te.dist 2004-05-11 11:03:38.000000000 -0400 +++ macros/user_macros.te 2004-05-26 12:22:18.852047888 -0400 @@ -242,6 +242,14 @@ r_dir_file($1_t, mnt_t) ') +ifdef(`user_mysql',` +# +# Allow users to access the mysql socket +# +allow $1_t mysqld_var_run_t:dir search; +allow $1_t mysqld_var_run_t:sock_file write; +') + # # Rules used to associate a homedir as a mountpoint # --- tunable.te.dist 2004-05-11 11:03:38.000000000 -0400 +++ tunable.te 2004-05-26 12:19:33.221383912 -0400 @@ -99,3 +99,6 @@ # Allow user to rw usb devices define(`user_rw_usb') + +# Allow users to access mysql +define(`user_mysql')
Attachment:
pgpwIhx1RwRUS.pgp
Description: PGP signature
