El Miércoles, 16 de Agosto de 2006 00:36, Ryan Golhar escribió: > Hi Manuel, > > I would like to use SELinux with RHEL 4. Its new and I?m gonna have to > learn it sooner or later. > > I suppose my problem is that I'm totally new to it and not sure how to > configure it to allow certain programs access to certain files. I > suspect this is only one piece of it and I'm sure I'm going to run into > a whole lot more. I've googled it and read some but most of what I've > found is overviews and white papers. Nothing that gives hands on > experience. > > The only real useful thing I've found is http://seedit.sourceforge.net/, > but it?s a GUI tool and I'd rather stick to the shell. > > By default MySQL is not setup for network connectivity, both in the MySQL configuration and SELinux policy. This means that both the MySQL configuration and SELinux policy must be modified to allow MySQL network connectivity. This policy works for me, it's from Russell Coker and Tom Vogt ################################# # # Rules for the mysqld_t domain. # # mysqld_t is the type of the mysql daemon # daemon_domain(mysqld) domain_auto_trans(initrc_t, mysqld_exec_t, mysqld_t) type etc_mysqld_t, file_type, sysadmfile; type mysqld_db_dir_t, file_type, sysadmfile; type mysqld_db_t, file_type, sysadmfile; type mysqld_log_t, file_type, sysadmfile, logfile; # # Permissions required by the initrc script and safe_mysqld wrapper # (both running in initrc_t) # allow initrc_t etc_mysqld_t:file { read }; # create error startup log in /var/lib/mysql allow initrc_t mysqld_db_dir_t:dir { write }; file_type_auto_trans(initrc_t, mysqld_db_dir_t, mysqld_db_t) # touch /var/log/mysql and chown it to the mysql user allow initrc_t mysqld_log_t:dir rw_dir_perms; allow initrc_t mysqld_log_t:file create_file_perms; # mysqladmin wants to talk to mysqld allow initrc_t var_run_mysqld_t:sock_file { write }; allow initrc_t mysqld_t:unix_stream_socket { connectto }; # # Permissions for the daemon itself (mysqld) # general_proc_read_access(mysqld_t) general_file_read_access(mysqld_t) allow mysqld_t self:unix_stream_socket create_stream_socket_perms; allow mysqld_t self:fifo_file rw_file_perms; allow mysqld_t self:process { getsched }; # read config files allow mysqld_t etc_mysqld_t:dir r_dir_perms; allow mysqld_t etc_t:lnk_file r_file_perms; allow mysqld_t etc_t:file r_file_perms; allow mysqld_t etc_mysqld_t:file r_file_perms; # temp and log files allow mysqld_t var_log_t:dir { search }; allow mysqld_t var_log_t:file { append }; allow mysqld_t mysqld_log_t:file { create append }; file_type_auto_trans(mysqld_t, var_log_t, mysqld_log_t) allow mysqld_t tmp_t:dir r_dir_perms; # drop uid/gid allow mysqld_t self:capability { setgid setuid }; # read /etc/mtab allow mysqld_t etc_runtime_t:file r_file_perms; # access the console allow mysqld_t admin_tty_type:chr_file { read write }; # # The databases # file_type_auto_trans(mysqld_t, mysqld_db_dir_t, mysqld_db_t) allow mysqld_t mysqld_db_dir_t:dir create_dir_perms; allow mysqld_t mysqld_db_t:dir create_dir_perms; allow mysqld_t mysqld_db_t:file create_file_perms; # Let dpkg install the default DB correctly and start/stop the server ifdef(`dpkg.te', ` allow dpkg_t mysqld_exec_t:file { execute }; domain_auto_trans(dpkg_t, mysqld_exec_t, mysqld_t) file_type_auto_trans(dpkg_t, mysqld_db_dir_t, mysqld_db_t) ') # # Client tools, for the sysadm role, this is easy: # allow sysadm_t mysqld_t:unix_stream_socket { connectto }; # for normal users, we need to give them some other # access rights, too: allow user_t mysqld_t:unix_stream_socket { connectto }; allow user_t var_run_mysqld_t:sock_file { write }; allow user_t etc_mysqld_t:dir { search }; allow user_t etc_mysqld_t:file { read }; allow user_t mysqld_db_dir_t:dir { search }; allow user_t var_run_mysqld_t:dir { search }; ifdef(`logrotate.te', ` r_dir_file(logrotate_t, etc_mysqld_t) allow logrotate_t mysqld_db_dir_t:dir search; allow logrotate_t var_run_mysqld_t:dir search; allow logrotate_t var_run_mysqld_t:sock_file write; can_unix_connect(logrotate_t, mysqld_t) ') ["mysqld.fc" (text/plain)] # mysql database server /usr/sbin/mysqld system_u:object_r:mysqld_exec_t /var/run/mysqld(/.*)? system_u:object_r:var_run_mysqld_t /var/log/mysql.* system_u:object_r:mysqld_log_t /var/lib/mysql system_u:object_r:mysqld_db_dir_t /var/lib/mysql/.* system_u:object_r:mysqld_db_t /etc/my.cnf system_u:object_r:etc_mysqld_t /etc/mysql(/.*)? system_u:object_r:etc_mysqld_t Hope that helps -- Manuel Arostegui Ramirez. Electronic Mail is not secure, may not be read every day, and should not be used for urgent or sensitive issues. -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
