]>
Commit | Line | Data |
---|---|---|
42be7c21 CP |
1 | ## <summary>Policy for MySQL</summary> |
2 | ||
3 | ######################################## | |
4 | ## <summary> | |
5 | ## Send a generic signal to MySQL. | |
6 | ## </summary> | |
7 | ## <param name="domain"> | |
885b83ec | 8 | ## <summary> |
42be7c21 | 9 | ## Domain allowed access. |
885b83ec | 10 | ## </summary> |
42be7c21 CP |
11 | ## </param> |
12 | # | |
13 | interface(`mysql_signal',` | |
14 | gen_require(` | |
15 | type mysqld_t; | |
42be7c21 CP |
16 | ') |
17 | ||
18 | allow $1 mysqld_t:process signal; | |
19 | ') | |
20 | ||
21 | ######################################## | |
22 | ## <summary> | |
23 | ## Connect to MySQL using a unix domain stream socket. | |
24 | ## </summary> | |
25 | ## <param name="domain"> | |
885b83ec | 26 | ## <summary> |
42be7c21 | 27 | ## Domain allowed access. |
885b83ec | 28 | ## </summary> |
42be7c21 CP |
29 | ## </param> |
30 | # | |
31 | interface(`mysql_stream_connect',` | |
32 | gen_require(` | |
71fe0fa4 | 33 | type mysqld_t, mysqld_var_run_t; |
42be7c21 CP |
34 | ') |
35 | ||
36 | allow $1 mysqld_var_run_t:dir search; | |
37 | allow $1 mysqld_var_run_t:sock_file write; | |
38 | allow $1 mysqld_t:unix_stream_socket connectto; | |
39 | ') | |
40 | ||
41 | ######################################## | |
42 | ## <summary> | |
43 | ## Read MySQL configuration files. | |
44 | ## </summary> | |
45 | ## <param name="domain"> | |
885b83ec | 46 | ## <summary> |
42be7c21 | 47 | ## Domain allowed access. |
885b83ec | 48 | ## </summary> |
42be7c21 CP |
49 | ## </param> |
50 | # | |
51 | interface(`mysql_read_config',` | |
52 | gen_require(` | |
53 | type mysqld_etc_t; | |
42be7c21 CP |
54 | ') |
55 | ||
56 | allow $1 mysqld_etc_t:dir { getattr read search }; | |
57 | allow $1 mysqld_etc_t:file { read getattr }; | |
58 | allow $1 mysqld_etc_t:lnk_file { getattr read }; | |
59 | ') | |
60 | ||
61 | ######################################## | |
62 | ## <summary> | |
63 | ## Search the directories that contain MySQL | |
64 | ## database storage. | |
65 | ## </summary> | |
66 | ## <param name="domain"> | |
885b83ec | 67 | ## <summary> |
42be7c21 | 68 | ## Domain allowed access. |
885b83ec | 69 | ## </summary> |
42be7c21 CP |
70 | ## </param> |
71 | # | |
72 | # cjp: "_dir" in the name is added to clarify that this | |
73 | # is not searching the database itself. | |
1815bad1 | 74 | interface(`mysql_search_db',` |
42be7c21 CP |
75 | gen_require(` |
76 | type mysqld_db_t; | |
42be7c21 CP |
77 | ') |
78 | ||
79 | files_search_var_lib($1) | |
80 | allow $1 mysqld_db_t:dir search; | |
81 | ') | |
82 | ||
83 | ######################################## | |
84 | ## <summary> | |
85 | ## Read and write to the MySQL database directory. | |
86 | ## </summary> | |
87 | ## <param name="domain"> | |
885b83ec | 88 | ## <summary> |
42be7c21 | 89 | ## Domain allowed access. |
885b83ec | 90 | ## </summary> |
42be7c21 CP |
91 | ## </param> |
92 | # | |
1815bad1 | 93 | interface(`mysql_rw_db_dirs',` |
42be7c21 CP |
94 | gen_require(` |
95 | type mysqld_db_t; | |
42be7c21 CP |
96 | ') |
97 | ||
98 | files_search_var_lib($1) | |
99 | allow $1 mysqld_db_t:dir rw_dir_perms; | |
100 | ') | |
101 | ||
102 | ######################################## | |
103 | ## <summary> | |
104 | ## Create, read, write, and delete MySQL database directories. | |
105 | ## </summary> | |
106 | ## <param name="domain"> | |
885b83ec | 107 | ## <summary> |
42be7c21 | 108 | ## Domain allowed access. |
885b83ec | 109 | ## </summary> |
42be7c21 CP |
110 | ## </param> |
111 | # | |
1815bad1 | 112 | interface(`mysql_manage_db_dirs',` |
42be7c21 | 113 | gen_require(` |
af4752bc | 114 | type mysqld_db_t; |
42be7c21 CP |
115 | ') |
116 | ||
117 | files_search_var_lib($1) | |
118 | allow $1 mysqld_db_t:dir create_dir_perms; | |
119 | ') | |
120 | ||
4c719948 CP |
121 | ######################################## |
122 | ## <summary> | |
123 | ## Read and write to the MySQL database | |
124 | ## named socket. | |
125 | ## </summary> | |
126 | ## <param name="domain"> | |
885b83ec | 127 | ## <summary> |
4c719948 | 128 | ## Domain allowed access. |
885b83ec | 129 | ## </summary> |
4c719948 CP |
130 | ## </param> |
131 | # | |
1815bad1 | 132 | interface(`mysql_rw_db_sockets',` |
4c719948 CP |
133 | gen_require(` |
134 | type mysqld_db_t; | |
135 | ') | |
136 | ||
137 | files_search_var_lib($1) | |
138 | allow $1 mysqld_db_t:dir search; | |
139 | allow $1 mysqld_db_t:sock_file rw_file_perms; | |
140 | ') | |
141 | ||
42be7c21 CP |
142 | ######################################## |
143 | ## <summary> | |
144 | ## Write to the MySQL log. | |
145 | ## </summary> | |
146 | ## <param name="domain"> | |
885b83ec | 147 | ## <summary> |
42be7c21 | 148 | ## Domain allowed access. |
885b83ec | 149 | ## </summary> |
42be7c21 CP |
150 | ## </param> |
151 | # | |
152 | interface(`mysql_write_log',` | |
153 | gen_require(` | |
154 | type mysqld_log_t; | |
42be7c21 CP |
155 | ') |
156 | ||
157 | logging_search_logs($1) | |
158 | allow $1 mysqld_log_t:file { write append setattr ioctl }; | |
159 | ') |