Hi Daniel! On Fri, Jun 19, 2015 at 2:11 AM, Daniel Black <daniel.bl...@openquery.com.au > wrote:
> Nice work. > > https://mariadb.atlassian.net/browse/MDEV-7637 has some > netlink_audit_socket rules that don't appear to be here. > No, I did not try PAM. > Recommend contributing the selinux component to > https://github.com/TresysTechnology/refpolicy which distros usually > develop their policies from. > Sure, that's a good idea. I will wait for sometime for the policies to stabilize and then open a pull request. There are some version specific changes that we need to sort out. For instance, tram_port_t (tcp/4567) is defined in CentOS 7.0 and not in Centos 6.5. And similar stuff. > Does this work for galera multicast? It appears to only allow tcp bind > here. > No it didn't. :) I have a patch ready for this now. > > note for readme semanage permissive -a mysqld_t - less of a change for > enabling just that domain to be permissive. > Yep, I have updated the README. > > Does any of > https://mariadb.com/kb/en/mariadb/what-to-do-if-mariadb-doesnt-start/ > need changing? > It looks good, don't think we need to update it to reflect any change related to this. Thanks! -- Nirbhay > > > ----- On 18 Jun, 2015, at 11:59 PM, Nirbhay Choubey nirb...@mariadb.com > wrote: > > > revision-id: 6050ab658696925f2a031b901eb398fff65fa92a > > parent(s): 9eff9ed5c58e782abf383a52a7e691a55b4798a2 > > committer: Nirbhay Choubey > > branch nick: 5.5-galera > > timestamp: 2015-06-18 09:59:09 -0400 > > message: > > > > MDEV-6829 : SELinux/AppArmor policies for Galera server > > > > Add SELinux policy and AppArmor profile under policy/. > > > > --- > > policy/apparmor/README | 5 ++ > > policy/apparmor/usr.sbin.mysqld | 150 > ++++++++++++++++++++++++++++++++++ > > policy/apparmor/usr.sbin.mysqld.local | 4 + > > policy/selinux/README | 18 ++++ > > policy/selinux/mariadb-server.fc | 10 +++ > > policy/selinux/mariadb-server.te | 91 +++++++++++++++++++++ > > 6 files changed, 278 insertions(+) > > > > diff --git a/policy/apparmor/README b/policy/apparmor/README > > new file mode 100644 > > index 0000000..271655f > > --- /dev/null > > +++ b/policy/apparmor/README > > @@ -0,0 +1,5 @@ > > +Note: The included AppArmor profiles can be used for MariaDB Galera > cluster. > > +However, since these profiles had been tested for a limited set of > scenarios, > > +it is highly recommended to run them in "complain" mode and report any > denials > > +on mariadb.org/jira. > > + > > diff --git a/policy/apparmor/usr.sbin.mysqld > b/policy/apparmor/usr.sbin.mysqld > > new file mode 100644 > > index 0000000..307872c > > --- /dev/null > > +++ b/policy/apparmor/usr.sbin.mysqld > > @@ -0,0 +1,150 @@ > > +# Last Modified: Fri Mar 1 18:55:47 2013 > > +# Based on usr.sbin.mysqld packaged in mysql-server in Ubuntu. > > +# This AppArmor profile has been copied under BSD License from > > +# Percona XtraDB Cluster, along with some additions. > > + > > +#include <tunables/global> > > + > > +/usr/sbin/mysqld flags=(complain) { > > + #include <abstractions/base> > > + #include <abstractions/mysql> > > + #include <abstractions/nameservice> > > + #include <abstractions/user-tmp> > > + #include <abstractions/winbind> > > + > > + capability chown, > > + capability dac_override, > > + capability setgid, > > + capability setuid, > > + capability sys_rawio, > > + capability sys_resource, > > + > > + network tcp, > > + > > + /bin/dash rcx, > > + /dev/dm-0 r, > > + /etc/gai.conf r, > > + /etc/group r, > > + /etc/hosts.allow r, > > + /etc/hosts.deny r, > > + /etc/ld.so.cache r, > > + /etc/mtab r, > > + /etc/my.cnf r, > > + /etc/mysql/*.cnf r, > > + /etc/mysql/*.pem r, > > + /etc/mysql/conf.d/ r, > > + /etc/mysql/conf.d/* r, > > + /etc/nsswitch.conf r, > > + /etc/passwd r, > > + /etc/services r, > > + /run/mysqld/mysqld.pid w, > > + /run/mysqld/mysqld.sock w, > > + /sys/devices/system/cpu/ r, > > + owner /tmp/** lk, > > + /tmp/** rw, > > + /usr/lib/mysql/plugin/ r, > > + /usr/lib/mysql/plugin/*.so* mr, > > + /usr/sbin/mysqld mr, > > + /usr/share/mysql/** r, > > + /var/lib/mysql/ r, > > + /var/lib/mysql/** rwk, > > + /var/log/mysql.err rw, > > + /var/log/mysql.log rw, > > + /var/log/mysql/ r, > > + /var/log/mysql/* rw, > > + /var/run/mysqld/mysqld.pid w, > > + /var/run/mysqld/mysqld.sock w, > > + > > + > > + profile /bin/dash flags=(complain) { > > + #include <abstractions/base> > > + #include <abstractions/bash> > > + #include <abstractions/mysql> > > + #include <abstractions/nameservice> > > + #include <abstractions/perl> > > + > > + > > + > > + /bin/cat rix, > > + /bin/dash rix, > > + /bin/date rix, > > + /bin/grep rix, > > + /bin/nc.openbsd rix, > > + /bin/netstat rix, > > + /bin/ps rix, > > + /bin/rm rix, > > + /bin/sed rix, > > + /bin/sleep rix, > > + /bin/tar rix, > > + /bin/which rix, > > + /dev/tty rw, > > + /etc/ld.so.cache r, > > + /etc/my.cnf r, > > + /proc/ r, > > + /proc/*/cmdline r, > > + /proc/*/fd/ r, > > + /proc/*/net/dev r, > > + /proc/*/net/if_inet6 r, > > + /proc/*/net/tcp r, > > + /proc/*/net/tcp6 r, > > + /proc/*/stat r, > > + /proc/*/status r, > > + /proc/sys/kernel/pid_max r, > > + /proc/tty/drivers r, > > + /proc/uptime r, > > + /proc/version r, > > + /sbin/ifconfig rix, > > + /sys/devices/system/cpu/ r, > > + /tmp/** rw, > > + /usr/bin/cut rix, > > + /usr/bin/dirname rix, > > + /usr/bin/gawk rix, > > + /usr/bin/innobackupex rix, > > + /usr/bin/mysql rix, > > + /usr/bin/perl rix, > > + /usr/bin/seq rix, > > + /usr/bin/wsrep_sst* rix, > > + /usr/bin/wsrep_sst_common r, > > + /usr/bin/xtrabackup* rix, > > + /var/lib/mysql/ r, > > + /var/lib/mysql/** rw, > > + /var/lib/mysql/*.log w, > > + /var/lib/mysql/*.err w, > > + > > +# MariaDB additions > > + ptrace peer=@{profile_name}, > > + > > + /bin/hostname rix, > > + /bin/ip rix, > > + /bin/mktemp rix, > > + /bin/ss rix, > > + /bin/sync rix, > > + /bin/touch rix, > > + /bin/uname rix, > > + /etc/mysql/*.cnf r, > > + /etc/mysql/conf.d/ r, > > + /etc/mysql/conf.d/* r, > > + /proc/*/attr/current r, > > + /proc/*/fdinfo/* r, > > + /proc/*/net/* r, > > + /proc/locks r, > > + /proc/sys/net/ipv4/ip_local_port_range r, > > + /run/mysqld/mysqld.sock rw, > > + /sbin/ip rix, > > + /usr/bin/basename rix, > > + /usr/bin/du rix, > > + /usr/bin/find rix, > > + /usr/bin/lsof rix, > > + /usr/bin/my_print_defaults rix, > > + /usr/bin/mysqldump rix, > > + /usr/bin/pv rix, > > + /usr/bin/rsync rix, > > + /usr/bin/socat rix, > > + /usr/bin/tail rix, > > + /usr/bin/timeout rix, > > + /usr/bin/xargs rix, > > + /usr/bin/xbstream rix, > > + } > > + # Site-specific additions and overrides. See local/README for details. > > + #include <local/usr.sbin.mysqld> > > +} > > diff --git a/policy/apparmor/usr.sbin.mysqld.local > > b/policy/apparmor/usr.sbin.mysqld.local > > new file mode 100644 > > index 0000000..a0b8a02 > > --- /dev/null > > +++ b/policy/apparmor/usr.sbin.mysqld.local > > @@ -0,0 +1,4 @@ > > +# Site-specific additions and overrides for usr.sbin.mysqld.. > > +# For more details, please see /etc/apparmor.d/local/README. > > +# This AppArmor profile has been copied under BSD License from > > +# Percona XtraDB Cluster, along with some additions. > > diff --git a/policy/selinux/README b/policy/selinux/README > > new file mode 100644 > > index 0000000..a8c11c7 > > --- /dev/null > > +++ b/policy/selinux/README > > @@ -0,0 +1,18 @@ > > +Note: The included SELinux policy files can be used for MariaDB Galera > cluster. > > +However, since these policies had been tested for a limited set of > scenarios, > > +it is highly recommended to run SELinux in "permissive" mode even with > these > > +policies installed and report any denials on mariadb.org/jira. > > + > > + > > +How to generate and load the policy module of MariaDB Galera cluster ? > > + > > +* Generate the SELinux policy module. > > + # cd <source>/policy/selinux/ > > + # make -f /usr/share/selinux/devel/Makefile mariadb-server.pp > > + > > +* Load the generated policy module. > > + # semodule -i /path/to/mariadb-server.pp > > + > > +* Lastly, run the following command to allow 4568. > > + # semanage port -a -t mysqld_port_t -p tcp 4568 > > + > > diff --git a/policy/selinux/mariadb-server.fc > b/policy/selinux/mariadb-server.fc > > new file mode 100644 > > index 0000000..1a69ecc > > --- /dev/null > > +++ b/policy/selinux/mariadb-server.fc > > @@ -0,0 +1,10 @@ > > +# This SELinux file contexts (.fc) file has been copied under BSD > License from > > +# Percona XtraDB Cluster. > > + > > +/etc/init\.d/rc\.d/mysql -- > > gen_context(system_u:object_r:mysqld_initrc_exec_t,s0) > > +/var/lib/mysql/.*\.log -- > gen_context(system_u:object_r:mysqld_log_t,s0) > > +/var/lib/mysql/.*\.err -- > gen_context(system_u:object_r:mysqld_log_t,s0) > > +/var/lib/mysql/.*\.pid -- > gen_context(system_u:object_r:mysqld_var_run_t,s0) > > +/var/lib/mysql/.*\.cnf -- > gen_context(system_u:object_r:mysqld_etc_t,s0) > > +/usr/bin/xtrabackup.* -- gen_context(system_u:object_r:mysqld_exec_t,s0) > > +/usr/bin/wsrep.* -- > gen_context(system_u:object_r:mysqld_safe_exec_t,s0) > > diff --git a/policy/selinux/mariadb-server.te > b/policy/selinux/mariadb-server.te > > new file mode 100644 > > index 0000000..9c0319c > > --- /dev/null > > +++ b/policy/selinux/mariadb-server.te > > @@ -0,0 +1,91 @@ > > +# This SELinux type enforcement (.te) file has been copied under BSD > License > > +# from Percona XtraDB Cluster, along with some additions. > > + > > +module mariadb-server 1.0; > > + > > +require { > > + type user_tmp_t; > > + type kerberos_port_t; > > + type mysqld_safe_t; > > + type tmp_t; > > + type tmpfs_t; > > + type hostname_exec_t; > > + type ifconfig_exec_t; > > + type sysctl_net_t; > > + type proc_net_t; > > + type port_t; > > + type mysqld_t; > > + type var_lib_t; > > + type rsync_exec_t; > > + type bin_t; > > + type shell_exec_t; > > + type anon_inodefs_t; > > + type fixed_disk_device_t; > > + class lnk_file read; > > + class process { getattr signull }; > > + class unix_stream_socket connectto; > > + class capability { sys_resource sys_nice }; > > + class tcp_socket { name_bind name_connect }; > > + class file { execute setattr read create getattr execute_no_trans > write ioctl > > open append unlink }; > > + class sock_file { create unlink getattr }; > > + class blk_file { read write open }; > > + class dir { write search getattr add_name read remove_name open }; > > + > > +# MariaDB additions > > + type tram_port_t; > > + class process setpgid; > > + class netlink_tcpdiag_socket { create nlmsg_read }; > > +} > > + > > + > > +#============= mysqld_safe_t ============== > > +allow mysqld_safe_t mysqld_t:process signull; > > +allow mysqld_safe_t self:capability { sys_resource sys_nice }; > > +allow mysqld_safe_t tmp_t:file { create read write open getattr unlink > ioctl > > setattr }; > > +allow mysqld_safe_t tmp_t:dir { write remove_name add_name }; > > +allow mysqld_safe_t tmp_t:sock_file { getattr unlink }; > > +allow mysqld_safe_t user_tmp_t:sock_file { getattr unlink }; > > +allow mysqld_safe_t var_lib_t:dir { write add_name }; > > +allow mysqld_safe_t var_lib_t:file { write ioctl setattr create open > getattr > > append unlink }; > > + > > +#============= mysqld_t ============== > > +allow mysqld_t anon_inodefs_t:file write; > > +allow mysqld_t tmp_t:sock_file { create unlink }; > > +allow mysqld_t tmpfs_t:dir { write search read remove_name open > add_name }; > > +allow mysqld_t tmpfs_t:file { write getattr read create unlink open }; > > +allow mysqld_t fixed_disk_device_t:blk_file { read write open }; > > +allow mysqld_t ifconfig_exec_t:file { read execute open execute_no_trans > > getattr }; > > + > > +#This rule allows connecting on 4444 > > +allow mysqld_t kerberos_port_t:tcp_socket { name_bind name_connect }; > > + > > +allow mysqld_t mysqld_safe_t:dir { getattr search }; > > +allow mysqld_t mysqld_safe_t:file { read open }; > > +allow mysqld_t self:unix_stream_socket connectto; > > +allow mysqld_t port_t:tcp_socket { name_bind name_connect }; > > +allow mysqld_t proc_net_t:file { read getattr open }; > > +allow mysqld_t sysctl_net_t:dir search; > > +allow mysqld_t var_lib_t:file { getattr open append }; > > +allow mysqld_t var_lib_t:sock_file { create unlink getattr }; > > +allow mysqld_t rsync_exec_t:file { read getattr open execute > execute_no_trans > > }; > > +allow mysqld_t self:process getattr; > > +allow mysqld_t hostname_exec_t:file { read getattr execute open > > execute_no_trans }; > > +allow mysqld_t user_tmp_t:dir { write add_name }; > > +allow mysqld_t user_tmp_t:file create; > > +allow mysqld_t bin_t:lnk_file read; > > +allow mysqld_t tmp_t:file { append create read write open getattr unlink > > setattr }; > > + > > +# Allows too much leeway - the xtrabackup/wsrep rules in fc should fix > it, but > > +# keep for the moment. > > +allow mysqld_t shell_exec_t:file { execute_no_trans getattr read > execute open > > }; > > +allow mysqld_t bin_t:file { getattr read execute open execute_no_trans > ioctl }; > > + > > +# MariaDB additions > > +allow mysqld_t self:process setpgid; > > +# This rule allows port 4567 > > +allow mysqld_t tram_port_t:tcp_socket name_bind; > > + > > +# Rules related to XtraBackup > > +allow mysqld_t self:netlink_tcpdiag_socket { create nlmsg_read }; > > +allow mysqld_t sysctl_net_t:file { read getattr open }; > > + > > _______________________________________________ > > commits mailing list > > comm...@mariadb.org > > https://lists.askmonty.org/cgi-bin/mailman/listinfo/commits > > -- > -- > Daniel Black, Engineer @ Open Query (http://openquery.com.au) > Remote expertise & maintenance for MySQL/MariaDB server environments. >
_______________________________________________ Mailing list: https://launchpad.net/~maria-developers Post to : maria-developers@lists.launchpad.net Unsubscribe : https://launchpad.net/~maria-developers More help : https://help.launchpad.net/ListHelp
