-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/05/2013 09:06 AM, Dominick Grift wrote: > A. On Tue, 2013-02-05 at 08:31 -0500, Daniel J Walsh wrote: >> On 02/05/2013 08:27 AM, Daniel J Walsh wrote: >>> On 02/04/2013 09:53 PM, Lakshmipathi.G wrote: >>>> Hi - I have a restricted account with guest_u.How to provide mysql >>>> access to guest_u without breaking other services? >>> >>>> I tried "setsebool -P allow_user_mysql_connect 1" >>> >>>> Still it says - ERROR 2002 (HY000): Can't connect to local MySQL >>>> server through socket '/var/lib/mysql/mysql.sock' (13) >>> >>> >>>> Thanks for help. >>> >>> >>> >>>> -- ---- Cheers, Lakshmipathi.G FOSS Programmer. www.giis.co.in >>>> <http://www.giis.co.in> >>> >>> >>>> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx >>>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>> >>> I would add a custom policy module >>> >>> policy_module(myguest, 1.0) >>> >>> gen_require(` type guest_t; ') >>> >>> mysql_stream_connect(guest_t) -- selinux mailing list >>> selinux@xxxxxxxxxxxxxxxxxxxxxxx >>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>> >> >> I guess Dominic beat me to it. Currently the allow_user booleans do not >> effect >> >> guest_u or xguest_u, because I want them as locked down as possible. > > The question is where to put the threshold > > I recently revisited creating a restricted ssh login user from scratch: > > https://84.245.5.136/wordpress/create-a-restricted-openssh-login-user-with-selinux/ > > some stats: > > Me (source): sesearch -ASCT -s myrole_t | grep Found Found 59 semantic av > rules: Found 4 semantic te rules: > > Fedora (source): sesearch -ASCT -s guest_t | grep Found Found 620 semantic > av rules: Found 38 semantic te rules: Found 82 named file transition > filename_trans: > > me (target): sesearch -ASCT -t myrole_t | grep Found Found 30 semantic av > rules: > > Fedora (target): sesearch -ASCT -t guest_t | grep Found Found 909 semantic > av rules: > > Granted, my policy is probably too locked down as is in many ways. But it > is easier to extend a policy than it is to remove rules from a policy imho > >> The way to adjust their policy is through custom policy rules, or you >> could generate a new user type using sepolicy generate >> (selinux-polgengui) guest_mysql_u. -- selinux mailing list >> selinux@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/selinux > > > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > I agree and it would probably be worth investigating what to remove from guest_u. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlERGawACgkQrlYvE4MpobN3fgCgirGIWP3MimyHNA/fJY7bWE+g 7yoAn168hK0eWJRo3wssN9sPf2lw41bp =dncE -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
