Percona XtraDB Cluster moved to https://jira.percona.com/projects/PXC

Merge lp:~raghavendra-prabhu/percona-xtradb-cluster/bug-1131102 into lp:percona-xtradb-cluster/percona-xtradb-cluster-5.5

  1. bug-1131102
  2. Merge into 5.5
Proposed by Raghavendra D Prabhu
Status: Merged
Approved by: Vadim Tkachenko
Approved revision: no longer in the source branch.
Merged at revision: 387
Proposed branch: lp:~raghavendra-prabhu/percona-xtradb-cluster/bug-1131102
Merge into: lp:percona-xtradb-cluster/percona-xtradb-cluster-5.5
Diff against target: 220 lines (+198/-0)
4 files modified
policy/apparmor/usr.sbin.mysqld (+116/-0)
policy/apparmor/usr.sbin.mysqld.local (+2/-0)
policy/selinux/percona-xtradb-cluster.fc (+7/-0)
policy/selinux/percona-xtradb-cluster.te (+73/-0)
To merge this branch: bzr merge lp:~raghavendra-prabhu/percona-xtradb-cluster/bug-1131102
Reviewer Review Type Date Requested Status
Alexey Kopytov (community) Needs Information
Vadim Tkachenko Approve
Review via email: mp+152455@code.launchpad.net

Description of the change

Selinux and Apparmor policies for PXC.

To post a comment you must log in.
Revision history for this message
Vadim Tkachenko (vadim-tk) :
review: Approve
Revision history for this message
Alexey Kopytov (akopytov) wrote :

Shouldn't this be MPed for Percona Server first, and then merged to PXC naturally?

Also, it looks like this fix is missing the packaging part, i.e. it just adds a file, but it will not be used and installed by packages?

review: Needs Information
Revision history for this message
Raghavendra D Prabhu (raghavendra-prabhu) wrote :

Yes, these are just the files. The packaging part needs to be done, preferrably by Ignacio or BAlexey. However, I can also do this. Packaging initially can be only distributing the '.pp'/apparmor profile file(s) as part of package as done by the upstream

I have also submitted MP for both PXC and PS.

Revision history for this message
Alexey Kopytov (akopytov) wrote :

Thanks for clarifications. Can you also create a separate packaging bug?

Revision history for this message
Raghavendra D Prabhu (raghavendra-prabhu) wrote :

Ack. Will report this as a separate bug.

Revision history for this message
Raghavendra D Prabhu (raghavendra-prabhu) wrote :

Created lp:1159765 for that.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== added directory 'policy'
=== added directory 'policy/apparmor'
=== added file 'policy/apparmor/usr.sbin.mysqld'
--- policy/apparmor/usr.sbin.mysqld 1970-01-01 00:00:00 +0000
+++ policy/apparmor/usr.sbin.mysqld 2013-03-08 16:48:44 +0000
@@ -0,0 +1,116 @@
1# Last Modified: Fri Mar 1 18:55:47 2013
2# Based on usr.sbin.mysqld packaged in mysql-server in Ubuntu.
3# For Percona Server and Percona XtraDB Cluster
4
5#include <tunables/global>
6
7/usr/sbin/mysqld flags=(complain) {
8 #include <abstractions/base>
9 #include <abstractions/mysql>
10 #include <abstractions/nameservice>
11 #include <abstractions/user-tmp>
12 #include <abstractions/winbind>
13
14 capability chown,
15 capability dac_override,
16 capability setgid,
17 capability setuid,
18 capability sys_rawio,
19 capability sys_resource,
20
21 network tcp,
22
23 /bin/dash rcx,
24 /dev/dm-0 r,
25 /etc/gai.conf r,
26 /etc/group r,
27 /etc/hosts.allow r,
28 /etc/hosts.deny r,
29 /etc/ld.so.cache r,
30 /etc/mtab r,
31 /etc/my.cnf r,
32 /etc/mysql/*.cnf r,
33 /etc/mysql/*.pem r,
34 /etc/mysql/conf.d/ r,
35 /etc/mysql/conf.d/* r,
36 /etc/nsswitch.conf r,
37 /etc/passwd r,
38 /etc/services r,
39 /run/mysqld/mysqld.pid w,
40 /run/mysqld/mysqld.sock w,
41 /sys/devices/system/cpu/ r,
42 owner /tmp/** lk,
43 /tmp/** rw,
44 /usr/lib/mysql/plugin/ r,
45 /usr/lib/mysql/plugin/*.so* mr,
46 /usr/sbin/mysqld mr,
47 /usr/share/mysql/** r,
48 /var/lib/mysql/ r,
49 /var/lib/mysql/** rwk,
50 /var/log/mysql.err rw,
51 /var/log/mysql.log rw,
52 /var/log/mysql/ r,
53 /var/log/mysql/* rw,
54 /var/run/mysqld/mysqld.pid w,
55 /var/run/mysqld/mysqld.sock w,
56
57
58 profile /bin/dash flags=(complain) {
59 #include <abstractions/base>
60 #include <abstractions/bash>
61 #include <abstractions/mysql>
62 #include <abstractions/nameservice>
63 #include <abstractions/perl>
64
65
66
67 /bin/cat rix,
68 /bin/dash rix,
69 /bin/date rix,
70 /bin/grep rix,
71 /bin/nc.openbsd rix,
72 /bin/netstat rix,
73 /bin/ps rix,
74 /bin/rm rix,
75 /bin/sed rix,
76 /bin/sleep rix,
77 /bin/tar rix,
78 /bin/which rix,
79 /dev/tty rw,
80 /etc/ld.so.cache r,
81 /etc/my.cnf r,
82 /proc/ r,
83 /proc/*/cmdline r,
84 /proc/*/fd/ r,
85 /proc/*/net/dev r,
86 /proc/*/net/if_inet6 r,
87 /proc/*/net/tcp r,
88 /proc/*/net/tcp6 r,
89 /proc/*/stat r,
90 /proc/*/status r,
91 /proc/sys/kernel/pid_max r,
92 /proc/tty/drivers r,
93 /proc/uptime r,
94 /proc/version r,
95 /sbin/ifconfig rix,
96 /sys/devices/system/cpu/ r,
97 /tmp/* rw,
98 /usr/bin/cut rix,
99 /usr/bin/dirname rix,
100 /usr/bin/gawk rix,
101 /usr/bin/innobackupex rix,
102 /usr/bin/mysql rix,
103 /usr/bin/perl rix,
104 /usr/bin/seq rix,
105 /usr/bin/wsrep_sst* rix,
106 /usr/bin/wsrep_sst_common r,
107 /usr/bin/xtrabackup* rix,
108 /var/lib/mysql/ r,
109 /var/lib/mysql/** rw,
110 /var/lib/mysql/*.log w,
111 /var/lib/mysql/*.err w,
112
113 }
114 # Site-specific additions and overrides. See local/README for details.
115 #include <local/usr.sbin.mysqld>
116}
0117
=== added file 'policy/apparmor/usr.sbin.mysqld.local'
--- policy/apparmor/usr.sbin.mysqld.local 1970-01-01 00:00:00 +0000
+++ policy/apparmor/usr.sbin.mysqld.local 2013-03-08 16:48:44 +0000
@@ -0,0 +1,2 @@
1# Site-specific additions and overrides for usr.sbin.mysqld..
2# For more details, please see /etc/apparmor.d/local/README.
03
=== added directory 'policy/selinux'
=== added file 'policy/selinux/percona-xtradb-cluster.fc'
--- policy/selinux/percona-xtradb-cluster.fc 1970-01-01 00:00:00 +0000
+++ policy/selinux/percona-xtradb-cluster.fc 2013-03-08 16:48:44 +0000
@@ -0,0 +1,7 @@
1/etc/init\.d/rc\.d/mysql -- gen_context(system_u:object_r:mysqld_initrc_exec_t,s0)
2/var/lib/mysql/.*\.log -- gen_context(system_u:object_r:mysqld_log_t,s0)
3/var/lib/mysql/.*\.err -- gen_context(system_u:object_r:mysqld_log_t,s0)
4/var/lib/mysql/.*\.pid -- gen_context(system_u:object_r:mysqld_var_run_t,s0)
5/var/lib/mysql/.*\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0)
6/usr/bin/xtrabackup.* -- gen_context(system_u:object_r:mysqld_exec_t,s0)
7/usr/bin/wsrep.* -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
08
=== added file 'policy/selinux/percona-xtradb-cluster.te'
--- policy/selinux/percona-xtradb-cluster.te 1970-01-01 00:00:00 +0000
+++ policy/selinux/percona-xtradb-cluster.te 2013-03-08 16:48:44 +0000
@@ -0,0 +1,73 @@
1module percona-xtradb-cluster 1.0;
2
3require {
4 type user_tmp_t;
5 type kerberos_master_port_t;
6 type mysqld_safe_t;
7 type tmp_t;
8 type tmpfs_t;
9 type hostname_exec_t;
10 type ifconfig_exec_t;
11 type sysctl_net_t;
12 type proc_net_t;
13 type port_t;
14 type mysqld_t;
15 type var_lib_t;
16 type rsync_exec_t;
17 type bin_t;
18 type shell_exec_t;
19 type anon_inodefs_t;
20 type fixed_disk_device_t;
21 class lnk_file read;
22 class process { getattr signull };
23 class unix_stream_socket connectto;
24 class capability { sys_resource sys_nice };
25 class tcp_socket { name_bind name_connect };
26 class file { execute setattr read create getattr execute_no_trans write ioctl open append unlink };
27 class sock_file { create unlink getattr };
28 class blk_file { read write open };
29 class dir { write search getattr add_name read remove_name open };
30}
31
32
33#============= mysqld_safe_t ==============
34allow mysqld_safe_t mysqld_t:process signull;
35allow mysqld_safe_t self:capability { sys_resource sys_nice };
36allow mysqld_safe_t tmp_t:file { create read write open getattr unlink ioctl setattr };
37allow mysqld_safe_t tmp_t:dir { write remove_name add_name };
38allow mysqld_safe_t tmp_t:sock_file { getattr unlink };
39allow mysqld_safe_t user_tmp_t:sock_file { getattr unlink };
40allow mysqld_safe_t var_lib_t:dir { write add_name };
41allow mysqld_safe_t var_lib_t:file { write ioctl setattr create open getattr append unlink };
42
43#============= mysqld_t ==============
44allow mysqld_t anon_inodefs_t:file write;
45allow mysqld_t tmp_t:sock_file { create unlink };
46allow mysqld_t tmpfs_t:dir { write search read remove_name open add_name };
47allow mysqld_t tmpfs_t:file { write getattr read create unlink open };
48allow mysqld_t fixed_disk_device_t:blk_file { read write open };
49allow mysqld_t ifconfig_exec_t:file { read execute open execute_no_trans getattr };
50
51#This rule allows connecting on 4444/4567/4568
52allow mysqld_t kerberos_master_port_t:tcp_socket { name_bind name_connect };
53
54allow mysqld_t mysqld_safe_t:dir { getattr search };
55allow mysqld_t mysqld_safe_t:file { read open };
56allow mysqld_t self:unix_stream_socket connectto;
57allow mysqld_t port_t:tcp_socket { name_bind name_connect };
58allow mysqld_t proc_net_t:file { read getattr open };
59allow mysqld_t sysctl_net_t:dir search;
60allow mysqld_t var_lib_t:file { getattr open append };
61allow mysqld_t var_lib_t:sock_file { create unlink getattr };
62allow mysqld_t rsync_exec_t:file { read getattr open execute execute_no_trans };
63allow mysqld_t self:process getattr;
64allow mysqld_t hostname_exec_t:file { read getattr execute open execute_no_trans };
65allow mysqld_t user_tmp_t:dir { write add_name };
66allow mysqld_t user_tmp_t:file create;
67allow mysqld_t bin_t:lnk_file read;
68allow mysqld_t tmp_t:file { append create read write open getattr unlink setattr };
69
70# Allows too much leeway - the xtrabackup/wsrep rules in fc should fix it, but
71# keep for the moment.
72allow mysqld_t shell_exec_t:file { execute_no_trans getattr read execute open };
73allow mysqld_t bin_t:file { getattr read execute open execute_no_trans ioctl };

Subscribers

People subscribed via source and target branches