1
=== added directory 'policy'
2
=== added directory 'policy/apparmor'
3
=== added file 'policy/apparmor/usr.sbin.mysqld'
4
--- policy/apparmor/usr.sbin.mysqld	1970-01-01 00:00:00 +0000
5
+++ policy/apparmor/usr.sbin.mysqld	2013-03-08 16:46:26 +0000
6
@@ -0,0 +1,61 @@
7
1
# Last Modified: Thu Mar  7 21:58:51 2013
8
2
# Based on usr.sbin.mysqld packaged in mysql-server in Ubuntu.
9
3
# For Percona Server and Percona XtraDB Cluster
10
4
11
5
#include <tunables/global>
12
6
13
7
/usr/sbin/mysqld flags=(complain) {
14
8
  #include <abstractions/base>
15
9
  #include <abstractions/mysql>
16
10
  #include <abstractions/nameservice>
17
11
  #include <abstractions/user-tmp>
18
12
  #include <abstractions/winbind>
19
13
  #include <local/usr.sbin.mysqld>
20
14
21
15
22
16
  capability chown,
23
17
  capability dac_override,
24
18
  capability setgid,
25
19
  capability setuid,
26
20
  capability sys_rawio,
27
21
  capability sys_resource,
28
22
29
23
  network tcp,
30
24
31
25
32
26
  /dev/dm-0 r,
33
27
  /etc/group r,
34
28
  /etc/gai.conf r,
35
29
  /etc/hosts.allow r,
36
30
  /etc/hosts.deny r,
37
31
  /etc/ld.so.cache r,
38
32
  /etc/mtab r,
39
33
  /etc/my.cnf r,
40
34
  /etc/mysql/*.cnf r,
41
35
  /etc/mysql/*.pem r,
42
36
  /etc/mysql/conf.d/ r,
43
37
  /etc/mysql/conf.d/* r,
44
38
  /etc/nsswitch.conf r,
45
39
  /etc/passwd r,
46
40
  /etc/services r,
47
41
  /run/mysqld/mysqld.pid w,
48
42
  /run/mysqld/mysqld.sock w,
49
43
  /sys/devices/system/cpu/ r,
50
44
  owner /tmp/** lk,
51
45
  /tmp/** rw,
52
46
  /usr/lib/mysql/plugin/ r,
53
47
  /usr/lib/mysql/plugin/*.so* mr,
54
48
  /usr/sbin/mysqld mr,
55
49
  /usr/share/mysql/** r,
56
50
  /var/lib/mysql/ r,
57
51
  /var/lib/mysql/** rwk,
58
52
  /var/log/mysql.err rw,
59
53
  /var/log/mysql.log rw,
60
54
  /var/log/mysql/ r,
61
55
  /var/log/mysql/* rw,
62
56
  /var/run/mysqld/mysqld.pid w,
63
57
  /var/run/mysqld/mysqld.sock w,
64
58
65
59
  # Site-specific additions and overrides. See local/README for details.
66
60
  #include <local/usr.sbin.mysqld>
67
61
}
68
0
62
69
=== added file 'policy/apparmor/usr.sbin.mysqld.local'
70
--- policy/apparmor/usr.sbin.mysqld.local	1970-01-01 00:00:00 +0000
71
+++ policy/apparmor/usr.sbin.mysqld.local	2013-03-08 16:46:26 +0000
72
@@ -0,0 +1,2 @@
73
1
# Site-specific additions and overrides for usr.sbin.mysqld..
74
2
# For more details, please see /etc/apparmor.d/local/README.
75
0
3
76
=== added directory 'policy/selinux'
77
=== added file 'policy/selinux/percona-server.fc'
78
--- policy/selinux/percona-server.fc	1970-01-01 00:00:00 +0000
79
+++ policy/selinux/percona-server.fc	2013-03-08 16:46:26 +0000
80
@@ -0,0 +1,6 @@
81
1
/etc/init\.d/rc\.d/mysql -- gen_context(system_u:object_r:mysqld_initrc_exec_t,s0)
82
2
/var/lib/mysql/.*\.log --  gen_context(system_u:object_r:mysqld_log_t,s0)
83
3
/var/lib/mysql/.*\.err --  gen_context(system_u:object_r:mysqld_log_t,s0)
84
4
/var/lib/mysql/.*\.pid -- gen_context(system_u:object_r:mysqld_var_run_t,s0)
85
5
/var/lib/mysql/.*\.cnf	--  gen_context(system_u:object_r:mysqld_etc_t,s0)
86
6
/usr/bin/xtrabackup.* -- gen_context(system_u:object_r:mysqld_exec_t,s0)
87
0
7
88
=== added file 'policy/selinux/percona-server.te'
89
--- policy/selinux/percona-server.te	1970-01-01 00:00:00 +0000
90
+++ policy/selinux/percona-server.te	2013-03-08 16:46:26 +0000
91
@@ -0,0 +1,35 @@
92
1
# This adds few more rules in addition to mysql.pp in selinux-policy-targeted
93
2
module percona-server 1.0;
94
3
95
4
require {
96
5
        type user_tmp_t;
97
6
        type mysqld_safe_t;
98
7
        type tmp_t;
99
8
        type fixed_disk_device_t;
100
9
        type mysqld_t;
101
10
        type tmpfs_t;
102
11
        class sock_file { getattr unlink create };
103
12
        class capability { sys_nice sys_resource };
104
13
        class blk_file { read write open };
105
14
        class file { write getattr read create unlink open };
106
15
        class dir { search read write remove_name open add_name };
107
16
}
108
17
109
18
#============= mysqld_safe_t ==============
110
19
allow mysqld_safe_t self:capability { sys_nice sys_resource };
111
20
112
21
allow mysqld_safe_t tmp_t:dir { write remove_name };
113
22
allow mysqld_safe_t tmp_t:sock_file { getattr unlink };
114
23
allow mysqld_safe_t user_tmp_t:sock_file { getattr unlink };
115
24
116
25
#============= mysqld_t ==============
117
26
allow mysqld_t fixed_disk_device_t:blk_file { read write open };
118
27
allow mysqld_t tmp_t:sock_file { create unlink };
119
28
120
29
allow mysqld_t tmpfs_t:dir { write search read remove_name open add_name };
121
30
allow mysqld_t tmpfs_t:file { write getattr read create unlink open };
122
31
123
32
allow mysqld_t user_tmp_t:dir { write add_name };
124
33
allow mysqld_t user_tmp_t:file create;
125
34
126
35
allow mysqld_t tmp_t:file { append create read write open getattr unlink setattr };
Reviewer	Review Type	Date Requested	Status
Alexey Kopytov (community)		2013-03-08	Needs Resubmitting on 2013-03-18
Review via email: mp+152453@code.launchpad.net