Merge lp:~raghavendra-prabhu/percona-server/bug-1131102 into lp:percona-server/5.5

Proposed by Raghavendra D Prabhu
Status: Merged
Approved by: Alexey Kopytov
Approved revision: 463
Merged at revision: 482
Proposed branch: lp:~raghavendra-prabhu/percona-server/bug-1131102
Merge into: lp:percona-server/5.5
Diff against target: 126 lines (+104/-0)
4 files modified
policy/apparmor/usr.sbin.mysqld (+61/-0)
policy/apparmor/usr.sbin.mysqld.local (+2/-0)
policy/selinux/percona-server.fc (+6/-0)
policy/selinux/percona-server.te (+35/-0)
To merge this branch: bzr merge lp:~raghavendra-prabhu/percona-server/bug-1131102
Reviewer Review Type Date Requested Status
Alexey Kopytov (community) Approve
Review via email: mp+155213@code.launchpad.net
To post a comment you must log in.
Alexey Kopytov (akopytov) :
review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== added directory 'policy'
2=== added directory 'policy/apparmor'
3=== added file 'policy/apparmor/usr.sbin.mysqld'
4--- policy/apparmor/usr.sbin.mysqld 1970-01-01 00:00:00 +0000
5+++ policy/apparmor/usr.sbin.mysqld 2013-03-25 12:47:22 +0000
6@@ -0,0 +1,61 @@
7+# Last Modified: Thu Mar 7 21:58:51 2013
8+# Based on usr.sbin.mysqld packaged in mysql-server in Ubuntu.
9+# For Percona Server and Percona XtraDB Cluster
10+
11+#include <tunables/global>
12+
13+/usr/sbin/mysqld flags=(complain) {
14+ #include <abstractions/base>
15+ #include <abstractions/mysql>
16+ #include <abstractions/nameservice>
17+ #include <abstractions/user-tmp>
18+ #include <abstractions/winbind>
19+ #include <local/usr.sbin.mysqld>
20+
21+
22+ capability chown,
23+ capability dac_override,
24+ capability setgid,
25+ capability setuid,
26+ capability sys_rawio,
27+ capability sys_resource,
28+
29+ network tcp,
30+
31+
32+ /dev/dm-0 r,
33+ /etc/group r,
34+ /etc/gai.conf r,
35+ /etc/hosts.allow r,
36+ /etc/hosts.deny r,
37+ /etc/ld.so.cache r,
38+ /etc/mtab r,
39+ /etc/my.cnf r,
40+ /etc/mysql/*.cnf r,
41+ /etc/mysql/*.pem r,
42+ /etc/mysql/conf.d/ r,
43+ /etc/mysql/conf.d/* r,
44+ /etc/nsswitch.conf r,
45+ /etc/passwd r,
46+ /etc/services r,
47+ /run/mysqld/mysqld.pid w,
48+ /run/mysqld/mysqld.sock w,
49+ /sys/devices/system/cpu/ r,
50+ owner /tmp/** lk,
51+ /tmp/** rw,
52+ /usr/lib/mysql/plugin/ r,
53+ /usr/lib/mysql/plugin/*.so* mr,
54+ /usr/sbin/mysqld mr,
55+ /usr/share/mysql/** r,
56+ /var/lib/mysql/ r,
57+ /var/lib/mysql/** rwk,
58+ /var/log/mysql.err rw,
59+ /var/log/mysql.log rw,
60+ /var/log/mysql/ r,
61+ /var/log/mysql/* rw,
62+ /var/run/mysqld/mysqld.pid w,
63+ /var/run/mysqld/mysqld.sock w,
64+
65+ # Site-specific additions and overrides. See local/README for details.
66+ #include <local/usr.sbin.mysqld>
67+}
68
69=== added file 'policy/apparmor/usr.sbin.mysqld.local'
70--- policy/apparmor/usr.sbin.mysqld.local 1970-01-01 00:00:00 +0000
71+++ policy/apparmor/usr.sbin.mysqld.local 2013-03-25 12:47:22 +0000
72@@ -0,0 +1,2 @@
73+# Site-specific additions and overrides for usr.sbin.mysqld..
74+# For more details, please see /etc/apparmor.d/local/README.
75
76=== added directory 'policy/selinux'
77=== added file 'policy/selinux/percona-server.fc'
78--- policy/selinux/percona-server.fc 1970-01-01 00:00:00 +0000
79+++ policy/selinux/percona-server.fc 2013-03-25 12:47:22 +0000
80@@ -0,0 +1,6 @@
81+/etc/init\.d/rc\.d/mysql -- gen_context(system_u:object_r:mysqld_initrc_exec_t,s0)
82+/var/lib/mysql/.*\.log -- gen_context(system_u:object_r:mysqld_log_t,s0)
83+/var/lib/mysql/.*\.err -- gen_context(system_u:object_r:mysqld_log_t,s0)
84+/var/lib/mysql/.*\.pid -- gen_context(system_u:object_r:mysqld_var_run_t,s0)
85+/var/lib/mysql/.*\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0)
86+/usr/bin/xtrabackup.* -- gen_context(system_u:object_r:mysqld_exec_t,s0)
87
88=== added file 'policy/selinux/percona-server.te'
89--- policy/selinux/percona-server.te 1970-01-01 00:00:00 +0000
90+++ policy/selinux/percona-server.te 2013-03-25 12:47:22 +0000
91@@ -0,0 +1,35 @@
92+# This adds few more rules in addition to mysql.pp in selinux-policy-targeted
93+module percona-server 1.0;
94+
95+require {
96+ type user_tmp_t;
97+ type mysqld_safe_t;
98+ type tmp_t;
99+ type fixed_disk_device_t;
100+ type mysqld_t;
101+ type tmpfs_t;
102+ class sock_file { getattr unlink create };
103+ class capability { sys_nice sys_resource };
104+ class blk_file { read write open };
105+ class file { write getattr read create unlink open };
106+ class dir { search read write remove_name open add_name };
107+}
108+
109+#============= mysqld_safe_t ==============
110+allow mysqld_safe_t self:capability { sys_nice sys_resource };
111+
112+allow mysqld_safe_t tmp_t:dir { write remove_name };
113+allow mysqld_safe_t tmp_t:sock_file { getattr unlink };
114+allow mysqld_safe_t user_tmp_t:sock_file { getattr unlink };
115+
116+#============= mysqld_t ==============
117+allow mysqld_t fixed_disk_device_t:blk_file { read write open };
118+allow mysqld_t tmp_t:sock_file { create unlink };
119+
120+allow mysqld_t tmpfs_t:dir { write search read remove_name open add_name };
121+allow mysqld_t tmpfs_t:file { write getattr read create unlink open };
122+
123+allow mysqld_t user_tmp_t:dir { write add_name };
124+allow mysqld_t user_tmp_t:file create;
125+
126+allow mysqld_t tmp_t:file { append create read write open getattr unlink setattr };

Subscribers

People subscribed via source and target branches