A. On Tue, 2013-02-05 at 08:31 -0500, Daniel J Walsh wrote: > On 02/05/2013 08:27 AM, Daniel J Walsh wrote: > > On 02/04/2013 09:53 PM, Lakshmipathi.G wrote: > >> Hi - I have a restricted account with guest_u.How to provide mysql > >> access to guest_u without breaking other services? > > > >> I tried "setsebool -P allow_user_mysql_connect 1" > > > >> Still it says - ERROR 2002 (HY000): Can't connect to local MySQL server > >> through socket '/var/lib/mysql/mysql.sock' (13) > > > > > >> Thanks for help. > > > > > > > >> -- ---- Cheers, Lakshmipathi.G FOSS Programmer. www.giis.co.in > >> <http://www.giis.co.in> > > > > > >> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx > >> https://admin.fedoraproject.org/mailman/listinfo/selinux > > > > I would add a custom policy module > > > > policy_module(myguest, 1.0) > > > > gen_require(` type guest_t; ') > > > > mysql_stream_connect(guest_t) -- selinux mailing list > > selinux@xxxxxxxxxxxxxxxxxxxxxxx > > https://admin.fedoraproject.org/mailman/listinfo/selinux > > > > I guess Dominic beat me to it. Currently the allow_user booleans do not effect > > guest_u or xguest_u, because I want them as locked down as possible. The question is where to put the threshold I recently revisited creating a restricted ssh login user from scratch: https://84.245.5.136/wordpress/create-a-restricted-openssh-login-user-with-selinux/ some stats: Me (source): sesearch -ASCT -s myrole_t | grep Found Found 59 semantic av rules: Found 4 semantic te rules: Fedora (source): sesearch -ASCT -s guest_t | grep Found Found 620 semantic av rules: Found 38 semantic te rules: Found 82 named file transition filename_trans: me (target): sesearch -ASCT -t myrole_t | grep Found Found 30 semantic av rules: Fedora (target): sesearch -ASCT -t guest_t | grep Found Found 909 semantic av rules: Granted, my policy is probably too locked down as is in many ways. But it is easier to extend a policy than it is to remove rules from a policy imho > The way to adjust their policy is through custom policy rules, or you could > generate a new user type using sepolicy generate (selinux-polgengui) > guest_mysql_u. > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
