Nice work. https://mariadb.atlassian.net/browse/MDEV-7637 has some netlink_audit_socket rules that don't appear to be here.
Recommend contributing the selinux component to https://github.com/TresysTechnology/refpolicy which distros usually develop their policies from. Does this work for galera multicast? It appears to only allow tcp bind here. note for readme semanage permissive -a mysqld_t - less of a change for enabling just that domain to be permissive. Does any of https://mariadb.com/kb/en/mariadb/what-to-do-if-mariadb-doesnt-start/ need changing? ----- On 18 Jun, 2015, at 11:59 PM, Nirbhay Choubey nirb...@mariadb.com wrote: > revision-id: 6050ab658696925f2a031b901eb398fff65fa92a > parent(s): 9eff9ed5c58e782abf383a52a7e691a55b4798a2 > committer: Nirbhay Choubey > branch nick: 5.5-galera > timestamp: 2015-06-18 09:59:09 -0400 > message: > > MDEV-6829 : SELinux/AppArmor policies for Galera server > > Add SELinux policy and AppArmor profile under policy/. > > --- > policy/apparmor/README | 5 ++ > policy/apparmor/usr.sbin.mysqld | 150 ++++++++++++++++++++++++++++++++++ > policy/apparmor/usr.sbin.mysqld.local | 4 + > policy/selinux/README | 18 ++++ > policy/selinux/mariadb-server.fc | 10 +++ > policy/selinux/mariadb-server.te | 91 +++++++++++++++++++++ > 6 files changed, 278 insertions(+) > > diff --git a/policy/apparmor/README b/policy/apparmor/README > new file mode 100644 > index 0000000..271655f > --- /dev/null > +++ b/policy/apparmor/README > @@ -0,0 +1,5 @@ > +Note: The included AppArmor profiles can be used for MariaDB Galera cluster. > +However, since these profiles had been tested for a limited set of scenarios, > +it is highly recommended to run them in "complain" mode and report any > denials > +on mariadb.org/jira. > + > diff --git a/policy/apparmor/usr.sbin.mysqld b/policy/apparmor/usr.sbin.mysqld > new file mode 100644 > index 0000000..307872c > --- /dev/null > +++ b/policy/apparmor/usr.sbin.mysqld > @@ -0,0 +1,150 @@ > +# Last Modified: Fri Mar 1 18:55:47 2013 > +# Based on usr.sbin.mysqld packaged in mysql-server in Ubuntu. > +# This AppArmor profile has been copied under BSD License from > +# Percona XtraDB Cluster, along with some additions. > + > +#include <tunables/global> > + > +/usr/sbin/mysqld flags=(complain) { > + #include <abstractions/base> > + #include <abstractions/mysql> > + #include <abstractions/nameservice> > + #include <abstractions/user-tmp> > + #include <abstractions/winbind> > + > + capability chown, > + capability dac_override, > + capability setgid, > + capability setuid, > + capability sys_rawio, > + capability sys_resource, > + > + network tcp, > + > + /bin/dash rcx, > + /dev/dm-0 r, > + /etc/gai.conf r, > + /etc/group r, > + /etc/hosts.allow r, > + /etc/hosts.deny r, > + /etc/ld.so.cache r, > + /etc/mtab r, > + /etc/my.cnf r, > + /etc/mysql/*.cnf r, > + /etc/mysql/*.pem r, > + /etc/mysql/conf.d/ r, > + /etc/mysql/conf.d/* r, > + /etc/nsswitch.conf r, > + /etc/passwd r, > + /etc/services r, > + /run/mysqld/mysqld.pid w, > + /run/mysqld/mysqld.sock w, > + /sys/devices/system/cpu/ r, > + owner /tmp/** lk, > + /tmp/** rw, > + /usr/lib/mysql/plugin/ r, > + /usr/lib/mysql/plugin/*.so* mr, > + /usr/sbin/mysqld mr, > + /usr/share/mysql/** r, > + /var/lib/mysql/ r, > + /var/lib/mysql/** rwk, > + /var/log/mysql.err rw, > + /var/log/mysql.log rw, > + /var/log/mysql/ r, > + /var/log/mysql/* rw, > + /var/run/mysqld/mysqld.pid w, > + /var/run/mysqld/mysqld.sock w, > + > + > + profile /bin/dash flags=(complain) { > + #include <abstractions/base> > + #include <abstractions/bash> > + #include <abstractions/mysql> > + #include <abstractions/nameservice> > + #include <abstractions/perl> > + > + > + > + /bin/cat rix, > + /bin/dash rix, > + /bin/date rix, > + /bin/grep rix, > + /bin/nc.openbsd rix, > + /bin/netstat rix, > + /bin/ps rix, > + /bin/rm rix, > + /bin/sed rix, > + /bin/sleep rix, > + /bin/tar rix, > + /bin/which rix, > + /dev/tty rw, > + /etc/ld.so.cache r, > + /etc/my.cnf r, > + /proc/ r, > + /proc/*/cmdline r, > + /proc/*/fd/ r, > + /proc/*/net/dev r, > + /proc/*/net/if_inet6 r, > + /proc/*/net/tcp r, > + /proc/*/net/tcp6 r, > + /proc/*/stat r, > + /proc/*/status r, > + /proc/sys/kernel/pid_max r, > + /proc/tty/drivers r, > + /proc/uptime r, > + /proc/version r, > + /sbin/ifconfig rix, > + /sys/devices/system/cpu/ r, > + /tmp/** rw, > + /usr/bin/cut rix, > + /usr/bin/dirname rix, > + /usr/bin/gawk rix, > + /usr/bin/innobackupex rix, > + /usr/bin/mysql rix, > + /usr/bin/perl rix, > + /usr/bin/seq rix, > + /usr/bin/wsrep_sst* rix, > + /usr/bin/wsrep_sst_common r, > + /usr/bin/xtrabackup* rix, > + /var/lib/mysql/ r, > + /var/lib/mysql/** rw, > + /var/lib/mysql/*.log w, > + /var/lib/mysql/*.err w, > + > +# MariaDB additions > + ptrace peer=@{profile_name}, > + > + /bin/hostname rix, > + /bin/ip rix, > + /bin/mktemp rix, > + /bin/ss rix, > + /bin/sync rix, > + /bin/touch rix, > + /bin/uname rix, > + /etc/mysql/*.cnf r, > + /etc/mysql/conf.d/ r, > + /etc/mysql/conf.d/* r, > + /proc/*/attr/current r, > + /proc/*/fdinfo/* r, > + /proc/*/net/* r, > + /proc/locks r, > + /proc/sys/net/ipv4/ip_local_port_range r, > + /run/mysqld/mysqld.sock rw, > + /sbin/ip rix, > + /usr/bin/basename rix, > + /usr/bin/du rix, > + /usr/bin/find rix, > + /usr/bin/lsof rix, > + /usr/bin/my_print_defaults rix, > + /usr/bin/mysqldump rix, > + /usr/bin/pv rix, > + /usr/bin/rsync rix, > + /usr/bin/socat rix, > + /usr/bin/tail rix, > + /usr/bin/timeout rix, > + /usr/bin/xargs rix, > + /usr/bin/xbstream rix, > + } > + # Site-specific additions and overrides. See local/README for details. > + #include <local/usr.sbin.mysqld> > +} > diff --git a/policy/apparmor/usr.sbin.mysqld.local > b/policy/apparmor/usr.sbin.mysqld.local > new file mode 100644 > index 0000000..a0b8a02 > --- /dev/null > +++ b/policy/apparmor/usr.sbin.mysqld.local > @@ -0,0 +1,4 @@ > +# Site-specific additions and overrides for usr.sbin.mysqld.. > +# For more details, please see /etc/apparmor.d/local/README. > +# This AppArmor profile has been copied under BSD License from > +# Percona XtraDB Cluster, along with some additions. > diff --git a/policy/selinux/README b/policy/selinux/README > new file mode 100644 > index 0000000..a8c11c7 > --- /dev/null > +++ b/policy/selinux/README > @@ -0,0 +1,18 @@ > +Note: The included SELinux policy files can be used for MariaDB Galera > cluster. > +However, since these policies had been tested for a limited set of scenarios, > +it is highly recommended to run SELinux in "permissive" mode even with these > +policies installed and report any denials on mariadb.org/jira. > + > + > +How to generate and load the policy module of MariaDB Galera cluster ? > + > +* Generate the SELinux policy module. > + # cd <source>/policy/selinux/ > + # make -f /usr/share/selinux/devel/Makefile mariadb-server.pp > + > +* Load the generated policy module. > + # semodule -i /path/to/mariadb-server.pp > + > +* Lastly, run the following command to allow 4568. > + # semanage port -a -t mysqld_port_t -p tcp 4568 > + > diff --git a/policy/selinux/mariadb-server.fc > b/policy/selinux/mariadb-server.fc > new file mode 100644 > index 0000000..1a69ecc > --- /dev/null > +++ b/policy/selinux/mariadb-server.fc > @@ -0,0 +1,10 @@ > +# This SELinux file contexts (.fc) file has been copied under BSD License > from > +# Percona XtraDB Cluster. > + > +/etc/init\.d/rc\.d/mysql -- > gen_context(system_u:object_r:mysqld_initrc_exec_t,s0) > +/var/lib/mysql/.*\.log -- gen_context(system_u:object_r:mysqld_log_t,s0) > +/var/lib/mysql/.*\.err -- gen_context(system_u:object_r:mysqld_log_t,s0) > +/var/lib/mysql/.*\.pid -- gen_context(system_u:object_r:mysqld_var_run_t,s0) > +/var/lib/mysql/.*\.cnf -- > gen_context(system_u:object_r:mysqld_etc_t,s0) > +/usr/bin/xtrabackup.* -- gen_context(system_u:object_r:mysqld_exec_t,s0) > +/usr/bin/wsrep.* -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0) > diff --git a/policy/selinux/mariadb-server.te > b/policy/selinux/mariadb-server.te > new file mode 100644 > index 0000000..9c0319c > --- /dev/null > +++ b/policy/selinux/mariadb-server.te > @@ -0,0 +1,91 @@ > +# This SELinux type enforcement (.te) file has been copied under BSD License > +# from Percona XtraDB Cluster, along with some additions. > + > +module mariadb-server 1.0; > + > +require { > + type user_tmp_t; > + type kerberos_port_t; > + type mysqld_safe_t; > + type tmp_t; > + type tmpfs_t; > + type hostname_exec_t; > + type ifconfig_exec_t; > + type sysctl_net_t; > + type proc_net_t; > + type port_t; > + type mysqld_t; > + type var_lib_t; > + type rsync_exec_t; > + type bin_t; > + type shell_exec_t; > + type anon_inodefs_t; > + type fixed_disk_device_t; > + class lnk_file read; > + class process { getattr signull }; > + class unix_stream_socket connectto; > + class capability { sys_resource sys_nice }; > + class tcp_socket { name_bind name_connect }; > + class file { execute setattr read create getattr execute_no_trans write > ioctl > open append unlink }; > + class sock_file { create unlink getattr }; > + class blk_file { read write open }; > + class dir { write search getattr add_name read remove_name open }; > + > +# MariaDB additions > + type tram_port_t; > + class process setpgid; > + class netlink_tcpdiag_socket { create nlmsg_read }; > +} > + > + > +#============= mysqld_safe_t ============== > +allow mysqld_safe_t mysqld_t:process signull; > +allow mysqld_safe_t self:capability { sys_resource sys_nice }; > +allow mysqld_safe_t tmp_t:file { create read write open getattr unlink ioctl > setattr }; > +allow mysqld_safe_t tmp_t:dir { write remove_name add_name }; > +allow mysqld_safe_t tmp_t:sock_file { getattr unlink }; > +allow mysqld_safe_t user_tmp_t:sock_file { getattr unlink }; > +allow mysqld_safe_t var_lib_t:dir { write add_name }; > +allow mysqld_safe_t var_lib_t:file { write ioctl setattr create open getattr > append unlink }; > + > +#============= mysqld_t ============== > +allow mysqld_t anon_inodefs_t:file write; > +allow mysqld_t tmp_t:sock_file { create unlink }; > +allow mysqld_t tmpfs_t:dir { write search read remove_name open add_name }; > +allow mysqld_t tmpfs_t:file { write getattr read create unlink open }; > +allow mysqld_t fixed_disk_device_t:blk_file { read write open }; > +allow mysqld_t ifconfig_exec_t:file { read execute open execute_no_trans > getattr }; > + > +#This rule allows connecting on 4444 > +allow mysqld_t kerberos_port_t:tcp_socket { name_bind name_connect }; > + > +allow mysqld_t mysqld_safe_t:dir { getattr search }; > +allow mysqld_t mysqld_safe_t:file { read open }; > +allow mysqld_t self:unix_stream_socket connectto; > +allow mysqld_t port_t:tcp_socket { name_bind name_connect }; > +allow mysqld_t proc_net_t:file { read getattr open }; > +allow mysqld_t sysctl_net_t:dir search; > +allow mysqld_t var_lib_t:file { getattr open append }; > +allow mysqld_t var_lib_t:sock_file { create unlink getattr }; > +allow mysqld_t rsync_exec_t:file { read getattr open execute execute_no_trans > }; > +allow mysqld_t self:process getattr; > +allow mysqld_t hostname_exec_t:file { read getattr execute open > execute_no_trans }; > +allow mysqld_t user_tmp_t:dir { write add_name }; > +allow mysqld_t user_tmp_t:file create; > +allow mysqld_t bin_t:lnk_file read; > +allow mysqld_t tmp_t:file { append create read write open getattr unlink > setattr }; > + > +# Allows too much leeway - the xtrabackup/wsrep rules in fc should fix it, > but > +# keep for the moment. > +allow mysqld_t shell_exec_t:file { execute_no_trans getattr read execute open > }; > +allow mysqld_t bin_t:file { getattr read execute open execute_no_trans ioctl > }; > + > +# MariaDB additions > +allow mysqld_t self:process setpgid; > +# This rule allows port 4567 > +allow mysqld_t tram_port_t:tcp_socket name_bind; > + > +# Rules related to XtraBackup > +allow mysqld_t self:netlink_tcpdiag_socket { create nlmsg_read }; > +allow mysqld_t sysctl_net_t:file { read getattr open }; > + > _______________________________________________ > commits mailing list > comm...@mariadb.org > https://lists.askmonty.org/cgi-bin/mailman/listinfo/commits -- -- Daniel Black, Engineer @ Open Query (http://openquery.com.au) Remote expertise & maintenance for MySQL/MariaDB server environments. _______________________________________________ Mailing list: https://launchpad.net/~maria-developers Post to : maria-developers@lists.launchpad.net Unsubscribe : https://launchpad.net/~maria-developers More help : https://help.launchpad.net/ListHelp