Re: provide mysql access to guest_u

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/05/2013 09:06 AM, Dominick Grift wrote:
> A. On Tue, 2013-02-05 at 08:31 -0500, Daniel J Walsh wrote:
>> On 02/05/2013 08:27 AM, Daniel J Walsh wrote:
>>> On 02/04/2013 09:53 PM, Lakshmipathi.G wrote:
>>>> Hi - I have  a restricted account with guest_u.How to provide mysql 
>>>> access to guest_u without breaking other services?
>>> 
>>>> I tried "setsebool -P allow_user_mysql_connect 1"
>>> 
>>>> Still it says - ERROR 2002 (HY000): Can't connect to local MySQL
>>>> server through socket '/var/lib/mysql/mysql.sock' (13)
>>> 
>>> 
>>>> Thanks for help.
>>> 
>>> 
>>> 
>>>> -- ---- Cheers, Lakshmipathi.G FOSS Programmer. www.giis.co.in 
>>>> <http://www.giis.co.in>
>>> 
>>> 
>>>> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx 
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>> 
>>> I would add a custom policy module
>>> 
>>> policy_module(myguest, 1.0)
>>> 
>>> gen_require(` type guest_t; ')
>>> 
>>> mysql_stream_connect(guest_t) -- selinux mailing list 
>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx 
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>> 
>> 
>> I guess Dominic beat me to it.  Currently the allow_user booleans do not
>> effect
>> 
>> guest_u or xguest_u, because I want them as locked down as possible.
> 
> The question is where to put the threshold
> 
> I recently revisited creating a restricted ssh login user from scratch:
> 
> https://84.245.5.136/wordpress/create-a-restricted-openssh-login-user-with-selinux/
>
>  some stats:
> 
> Me (source): sesearch -ASCT -s myrole_t | grep Found Found 59 semantic av
> rules: Found 4 semantic te rules:
> 
> Fedora (source): sesearch -ASCT -s guest_t | grep Found Found 620 semantic
> av rules: Found 38 semantic te rules: Found 82 named file transition
> filename_trans:
> 
> me (target): sesearch -ASCT -t myrole_t | grep Found Found 30 semantic av
> rules:
> 
> Fedora (target): sesearch -ASCT -t guest_t | grep Found Found 909 semantic
> av rules:
> 
> Granted, my policy is probably too locked down as is in many ways. But it
> is easier to extend a policy than it is to remove rules from a policy imho
> 
>> The way to adjust their policy is through custom policy rules, or you
>> could generate a new user type using sepolicy generate
>> (selinux-polgengui) guest_mysql_u. -- selinux mailing list 
>> selinux@xxxxxxxxxxxxxxxxxxxxxxx 
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
> 
> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx 
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
I agree and it would probably be worth investigating what to remove from
guest_u.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlERGawACgkQrlYvE4MpobN3fgCgirGIWP3MimyHNA/fJY7bWE+g
7yoAn168hK0eWJRo3wssN9sPf2lw41bp
=dncE
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux



[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux