-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Thanks guys. This helped me clear some miss conceptions I had.
On 11-01-14 11:34, Daniel J Walsh wrote:
> On 01/14/2011 10:48 AM, Luciano Furtado wrote:
>> If I do that would be giving mysqld_t the ability to run any binary
>> labeled with bin_t. There got be a better option that would open it up
>> too much.
>
>
>> On 11-01-14 09:31, Dominick Grift wrote:
>>> On 01/14/2011 03:28 PM, Luciano Furtado wrote:
>
>>>> when I run audit2allow I get the following:
>
>>>> #============= mysqld_t ==============
>>>> allow mysqld_t bin_t:dir search;
>>>> allow mysqld_t bin_t:file { read execute };
>>>> allow mysqld_t bin_t:lnk_file read;
>>>> allow mysqld_t shell_exec_t:file { read execute getattr
>>>> execute_no_trans };
>
>>> I would probably just allow the above. looks like it wants to run mysql
>>> command which i guess is labelled bin_t.
>
>>> corecmd_exec_bin(mysqld_t)
>>> corecmd_exec_shell(mysqld_t)
>
>>> should be suffice i believe
>
>>>> What's the proper fix here? I dont want to give the mysqld_t permission
>>>> to execute arbitrary scripts. The only solution I have right now is to
>>>> relabel mysql_upgrade so it runs as unconfined, and that's not much of
>>>> a solution.
>
>
>
>
>
>>>> Best Regards.
>>>> Luciano
>
> Being able to execute a binary without a transition does not give you a
> huge amount of privs, Just because you can execute a program, does not
> mean the program can do everything it was designed to do. For example
> if it tries to write to a directory that mysqld_t is not allowed to
> write, SELinux will block the write.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJNMH/5AAoJENgwSj9ZOOwrOjIH/2C76V+YHeREvkE+iZ9LXDC0
gdeoW4QXTSURx0/9F7lAYrJ1UfuBziA9d2fC1fLpFcaMq+H3DfHLst1JLtuJvFaO
XwXBaKutW/mk7FkW7aq+rfIl6Z1t8kHZMD+wtFeDRovdytPPpL45dgVjWiNPhzui
cOkDy/dqoZ7UOt70IAz++MFX2Ac/vvj8k18fvP/4hquqCp/Aeo2Ays3j5CFqPR86
CcKR48sFUUQaknobm+fH53KFqt8w62IvoyUwbZgoC+7+iIHKn7fQXZYPelhQH76w
K5D4RBgbzpdRMuZ9v7Wnc/aC4uky90/iPkb688nPySaxw4hNzDxAVWkvLJb2LO0=
=Gcet
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
