[people/stevee/selinux-policy.git] / refpolicy / policy / modules / services / mysql.if

## <summary>Policy for MySQL</summary>

########################################
## <summary>
##	Send a generic signal to MySQL.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`mysql_signal',`
	gen_require(`
		type mysqld_t;
	')

	allow $1 mysqld_t:process signal;
')

########################################
## <summary>
##	Connect to MySQL using a unix domain stream socket.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`mysql_stream_connect',`
	gen_require(`
		type mysqld_t, mysqld_var_run_t;
	')

	allow $1 mysqld_var_run_t:dir search;
	allow $1 mysqld_var_run_t:sock_file write;
	allow $1 mysqld_t:unix_stream_socket connectto;
')

########################################
## <summary>
##	Read MySQL configuration files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`mysql_read_config',`
	gen_require(`
		type mysqld_etc_t;
	')

	allow $1 mysqld_etc_t:dir { getattr read search };
	allow $1 mysqld_etc_t:file { read getattr };
	allow $1 mysqld_etc_t:lnk_file { getattr read };
')

########################################
## <summary>
##	Search the directories that contain MySQL
##	database storage.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
# cjp: "_dir" in the name is added to clarify that this
# is not searching the database itself.
interface(`mysql_search_db',`
	gen_require(`
		type mysqld_db_t;
	')

	files_search_var_lib($1)
	allow $1 mysqld_db_t:dir search;
')

########################################
## <summary>
##	Read and write to the MySQL database directory.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`mysql_rw_db_dirs',`
	gen_require(`
		type mysqld_db_t;
	')

	files_search_var_lib($1)
	allow $1 mysqld_db_t:dir rw_dir_perms;
')

########################################
## <summary>
##	Create, read, write, and delete MySQL database directories.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`mysql_manage_db_dirs',`
	gen_require(`
		type mysqld_db_t;
	')

	files_search_var_lib($1)
	allow $1 mysqld_db_t:dir create_dir_perms;
')

########################################
## <summary>
##	Read and write to the MySQL database
##	named socket.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`mysql_rw_db_sockets',`
	gen_require(`
		type mysqld_db_t;
	')

	files_search_var_lib($1)
	allow $1 mysqld_db_t:dir search;
	allow $1 mysqld_db_t:sock_file rw_file_perms;
')

########################################
## <summary>
##	Write to the MySQL log.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`mysql_write_log',`
	gen_require(`
		type mysqld_log_t;
	')

	logging_search_logs($1)
	allow $1 mysqld_log_t:file { write append setattr ioctl };
')
Commit	Line	Data
42be7c21 CP	1	## <summary>Policy for MySQL</summary>
	2
	3	########################################
	4	## <summary>
	5	## Send a generic signal to MySQL.
	6	## </summary>
	7	## <param name="domain">
885b83ec	8	## <summary>
42be7c21	9	## Domain allowed access.
885b83ec	10	## </summary>
42be7c21 CP	11	## </param>
	12	#
	13	interface(`mysql_signal',`
	14	gen_require(`
	15	type mysqld_t;
42be7c21 CP	16	')
	17
	18	allow $1 mysqld_t:process signal;
	19	')
	20
	21	########################################
	22	## <summary>
	23	## Connect to MySQL using a unix domain stream socket.
	24	## </summary>
	25	## <param name="domain">
885b83ec	26	## <summary>
42be7c21	27	## Domain allowed access.
885b83ec	28	## </summary>
42be7c21 CP	29	## </param>
	30	#
	31	interface(`mysql_stream_connect',`
	32	gen_require(`
71fe0fa4	33	type mysqld_t, mysqld_var_run_t;
42be7c21 CP	34	')
	35
	36	allow $1 mysqld_var_run_t:dir search;
	37	allow $1 mysqld_var_run_t:sock_file write;
	38	allow $1 mysqld_t:unix_stream_socket connectto;
	39	')
	40
	41	########################################
	42	## <summary>
	43	## Read MySQL configuration files.
	44	## </summary>
	45	## <param name="domain">
885b83ec	46	## <summary>
42be7c21	47	## Domain allowed access.
885b83ec	48	## </summary>
42be7c21 CP	49	## </param>
	50	#
	51	interface(`mysql_read_config',`
	52	gen_require(`
	53	type mysqld_etc_t;
42be7c21 CP	54	')
	55
	56	allow $1 mysqld_etc_t:dir { getattr read search };
	57	allow $1 mysqld_etc_t:file { read getattr };
	58	allow $1 mysqld_etc_t:lnk_file { getattr read };
	59	')
	60
	61	########################################
	62	## <summary>
	63	## Search the directories that contain MySQL
	64	## database storage.
	65	## </summary>
	66	## <param name="domain">
885b83ec	67	## <summary>
42be7c21	68	## Domain allowed access.
885b83ec	69	## </summary>
42be7c21 CP	70	## </param>
	71	#
	72	# cjp: "_dir" in the name is added to clarify that this
	73	# is not searching the database itself.
1815bad1	74	interface(`mysql_search_db',`
42be7c21 CP	75	gen_require(`
42be7c21 CP	76	type mysqld_db_t;
42be7c21 CP	77	')
	78
	79	files_search_var_lib($1)
	80	allow $1 mysqld_db_t:dir search;
	81	')
	82
	83	########################################
	84	## <summary>
	85	## Read and write to the MySQL database directory.
	86	## </summary>
	87	## <param name="domain">
885b83ec	88	## <summary>
42be7c21	89	## Domain allowed access.
885b83ec	90	## </summary>
42be7c21 CP	91	## </param>
42be7c21 CP	92	#
1815bad1	93	interface(`mysql_rw_db_dirs',`
42be7c21 CP	94	gen_require(`
42be7c21 CP	95	type mysqld_db_t;
42be7c21 CP	96	')
	97
	98	files_search_var_lib($1)
	99	allow $1 mysqld_db_t:dir rw_dir_perms;
	100	')
	101
	102	########################################
	103	## <summary>
	104	## Create, read, write, and delete MySQL database directories.
	105	## </summary>
	106	## <param name="domain">
885b83ec	107	## <summary>
42be7c21	108	## Domain allowed access.
885b83ec	109	## </summary>
42be7c21 CP	110	## </param>
42be7c21 CP	111	#
1815bad1	112	interface(`mysql_manage_db_dirs',`
42be7c21	113	gen_require(`
af4752bc	114	type mysqld_db_t;
42be7c21 CP	115	')
	116
	117	files_search_var_lib($1)
	118	allow $1 mysqld_db_t:dir create_dir_perms;
	119	')
	120
4c719948 CP	121	########################################
	122	## <summary>
	123	## Read and write to the MySQL database
	124	## named socket.
	125	## </summary>
	126	## <param name="domain">
885b83ec	127	## <summary>
4c719948	128	## Domain allowed access.
885b83ec	129	## </summary>
4c719948 CP	130	## </param>
4c719948 CP	131	#
1815bad1	132	interface(`mysql_rw_db_sockets',`
4c719948 CP	133	gen_require(`
	134	type mysqld_db_t;
	135	')
	136
	137	files_search_var_lib($1)
	138	allow $1 mysqld_db_t:dir search;
	139	allow $1 mysqld_db_t:sock_file rw_file_perms;
	140	')
	141
42be7c21 CP	142	########################################
	143	## <summary>
	144	## Write to the MySQL log.
	145	## </summary>
	146	## <param name="domain">
885b83ec	147	## <summary>
42be7c21	148	## Domain allowed access.
885b83ec	149	## </summary>
42be7c21 CP	150	## </param>
	151	#
	152	interface(`mysql_write_log',`
	153	gen_require(`
	154	type mysqld_log_t;
42be7c21 CP	155	')
	156
	157	logging_search_logs($1)
	158	allow $1 mysqld_log_t:file { write append setattr ioctl };
	159	')