Re: provide mysql access to guest_u

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



     A. On Tue, 2013-02-05 at 08:31 -0500, Daniel J Walsh wrote:
> On 02/05/2013 08:27 AM, Daniel J Walsh wrote:
> > On 02/04/2013 09:53 PM, Lakshmipathi.G wrote:
> >> Hi - I have  a restricted account with guest_u.How to provide mysql
> >> access to guest_u without breaking other services?
> > 
> >> I tried "setsebool -P allow_user_mysql_connect 1"
> > 
> >> Still it says - ERROR 2002 (HY000): Can't connect to local MySQL server 
> >> through socket '/var/lib/mysql/mysql.sock' (13)
> > 
> > 
> >> Thanks for help.
> > 
> > 
> > 
> >> -- ---- Cheers, Lakshmipathi.G FOSS Programmer. www.giis.co.in 
> >> <http://www.giis.co.in>
> > 
> > 
> >> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx 
> >> https://admin.fedoraproject.org/mailman/listinfo/selinux
> > 
> > I would add a custom policy module
> > 
> > policy_module(myguest, 1.0)
> > 
> > gen_require(` type guest_t; ')
> > 
> > mysql_stream_connect(guest_t) -- selinux mailing list 
> > selinux@xxxxxxxxxxxxxxxxxxxxxxx 
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
> > 
> 
> I guess Dominic beat me to it.  Currently the allow_user booleans do not effect
> 
> guest_u or xguest_u, because I want them as locked down as possible.

The question is where to put the threshold

I recently revisited creating a restricted ssh login user from scratch:

https://84.245.5.136/wordpress/create-a-restricted-openssh-login-user-with-selinux/

some stats:

Me (source): 
sesearch -ASCT -s myrole_t | grep Found
Found 59 semantic av rules:
Found 4 semantic te rules:

Fedora (source):
sesearch -ASCT -s guest_t | grep Found
Found 620 semantic av rules:
Found 38 semantic te rules:
Found 82 named file transition filename_trans:

me (target):
sesearch -ASCT -t myrole_t | grep Found
Found 30 semantic av rules:

Fedora (target):
sesearch -ASCT -t guest_t | grep Found
Found 909 semantic av rules:

Granted, my policy is probably too locked down as is in many ways. But
it is easier to extend a policy than it is to remove rules from a policy
imho

> The way to adjust their policy is through custom policy rules, or you could
> generate a new user type using sepolicy generate (selinux-polgengui)
> guest_mysql_u.
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux


--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux



[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux