Merge lp:~raghavendra-prabhu/percona-xtradb-cluster/bug-1131102 into lp:percona-xtradb-cluster/percona-xtradb-cluster-5.5

Proposed by Raghavendra D Prabhu
Status: Merged
Approved by: Vadim Tkachenko
Approved revision: 387
Merged at revision: 387
Proposed branch: lp:~raghavendra-prabhu/percona-xtradb-cluster/bug-1131102
Merge into: lp:percona-xtradb-cluster/percona-xtradb-cluster-5.5
Diff against target: 220 lines (+198/-0)
4 files modified
policy/apparmor/usr.sbin.mysqld (+116/-0)
policy/apparmor/usr.sbin.mysqld.local (+2/-0)
policy/selinux/percona-xtradb-cluster.fc (+7/-0)
policy/selinux/percona-xtradb-cluster.te (+73/-0)
To merge this branch: bzr merge lp:~raghavendra-prabhu/percona-xtradb-cluster/bug-1131102
Reviewer Review Type Date Requested Status
Alexey Kopytov (community) Needs Information
Vadim Tkachenko Approve
Review via email: mp+152455@code.launchpad.net

Description of the change

Selinux and Apparmor policies for PXC.

To post a comment you must log in.
Vadim Tkachenko (vadim-tk) :
review: Approve
Alexey Kopytov (akopytov) wrote :

Shouldn't this be MPed for Percona Server first, and then merged to PXC naturally?

Also, it looks like this fix is missing the packaging part, i.e. it just adds a file, but it will not be used and installed by packages?

review: Needs Information

Yes, these are just the files. The packaging part needs to be done, preferrably by Ignacio or BAlexey. However, I can also do this. Packaging initially can be only distributing the '.pp'/apparmor profile file(s) as part of package as done by the upstream

I have also submitted MP for both PXC and PS.

Alexey Kopytov (akopytov) wrote :

Thanks for clarifications. Can you also create a separate packaging bug?

Ack. Will report this as a separate bug.

Created lp:1159765 for that.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== added directory 'policy'
2=== added directory 'policy/apparmor'
3=== added file 'policy/apparmor/usr.sbin.mysqld'
4--- policy/apparmor/usr.sbin.mysqld 1970-01-01 00:00:00 +0000
5+++ policy/apparmor/usr.sbin.mysqld 2013-03-08 16:48:44 +0000
6@@ -0,0 +1,116 @@
7+# Last Modified: Fri Mar 1 18:55:47 2013
8+# Based on usr.sbin.mysqld packaged in mysql-server in Ubuntu.
9+# For Percona Server and Percona XtraDB Cluster
10+
11+#include <tunables/global>
12+
13+/usr/sbin/mysqld flags=(complain) {
14+ #include <abstractions/base>
15+ #include <abstractions/mysql>
16+ #include <abstractions/nameservice>
17+ #include <abstractions/user-tmp>
18+ #include <abstractions/winbind>
19+
20+ capability chown,
21+ capability dac_override,
22+ capability setgid,
23+ capability setuid,
24+ capability sys_rawio,
25+ capability sys_resource,
26+
27+ network tcp,
28+
29+ /bin/dash rcx,
30+ /dev/dm-0 r,
31+ /etc/gai.conf r,
32+ /etc/group r,
33+ /etc/hosts.allow r,
34+ /etc/hosts.deny r,
35+ /etc/ld.so.cache r,
36+ /etc/mtab r,
37+ /etc/my.cnf r,
38+ /etc/mysql/*.cnf r,
39+ /etc/mysql/*.pem r,
40+ /etc/mysql/conf.d/ r,
41+ /etc/mysql/conf.d/* r,
42+ /etc/nsswitch.conf r,
43+ /etc/passwd r,
44+ /etc/services r,
45+ /run/mysqld/mysqld.pid w,
46+ /run/mysqld/mysqld.sock w,
47+ /sys/devices/system/cpu/ r,
48+ owner /tmp/** lk,
49+ /tmp/** rw,
50+ /usr/lib/mysql/plugin/ r,
51+ /usr/lib/mysql/plugin/*.so* mr,
52+ /usr/sbin/mysqld mr,
53+ /usr/share/mysql/** r,
54+ /var/lib/mysql/ r,
55+ /var/lib/mysql/** rwk,
56+ /var/log/mysql.err rw,
57+ /var/log/mysql.log rw,
58+ /var/log/mysql/ r,
59+ /var/log/mysql/* rw,
60+ /var/run/mysqld/mysqld.pid w,
61+ /var/run/mysqld/mysqld.sock w,
62+
63+
64+ profile /bin/dash flags=(complain) {
65+ #include <abstractions/base>
66+ #include <abstractions/bash>
67+ #include <abstractions/mysql>
68+ #include <abstractions/nameservice>
69+ #include <abstractions/perl>
70+
71+
72+
73+ /bin/cat rix,
74+ /bin/dash rix,
75+ /bin/date rix,
76+ /bin/grep rix,
77+ /bin/nc.openbsd rix,
78+ /bin/netstat rix,
79+ /bin/ps rix,
80+ /bin/rm rix,
81+ /bin/sed rix,
82+ /bin/sleep rix,
83+ /bin/tar rix,
84+ /bin/which rix,
85+ /dev/tty rw,
86+ /etc/ld.so.cache r,
87+ /etc/my.cnf r,
88+ /proc/ r,
89+ /proc/*/cmdline r,
90+ /proc/*/fd/ r,
91+ /proc/*/net/dev r,
92+ /proc/*/net/if_inet6 r,
93+ /proc/*/net/tcp r,
94+ /proc/*/net/tcp6 r,
95+ /proc/*/stat r,
96+ /proc/*/status r,
97+ /proc/sys/kernel/pid_max r,
98+ /proc/tty/drivers r,
99+ /proc/uptime r,
100+ /proc/version r,
101+ /sbin/ifconfig rix,
102+ /sys/devices/system/cpu/ r,
103+ /tmp/* rw,
104+ /usr/bin/cut rix,
105+ /usr/bin/dirname rix,
106+ /usr/bin/gawk rix,
107+ /usr/bin/innobackupex rix,
108+ /usr/bin/mysql rix,
109+ /usr/bin/perl rix,
110+ /usr/bin/seq rix,
111+ /usr/bin/wsrep_sst* rix,
112+ /usr/bin/wsrep_sst_common r,
113+ /usr/bin/xtrabackup* rix,
114+ /var/lib/mysql/ r,
115+ /var/lib/mysql/** rw,
116+ /var/lib/mysql/*.log w,
117+ /var/lib/mysql/*.err w,
118+
119+ }
120+ # Site-specific additions and overrides. See local/README for details.
121+ #include <local/usr.sbin.mysqld>
122+}
123
124=== added file 'policy/apparmor/usr.sbin.mysqld.local'
125--- policy/apparmor/usr.sbin.mysqld.local 1970-01-01 00:00:00 +0000
126+++ policy/apparmor/usr.sbin.mysqld.local 2013-03-08 16:48:44 +0000
127@@ -0,0 +1,2 @@
128+# Site-specific additions and overrides for usr.sbin.mysqld..
129+# For more details, please see /etc/apparmor.d/local/README.
130
131=== added directory 'policy/selinux'
132=== added file 'policy/selinux/percona-xtradb-cluster.fc'
133--- policy/selinux/percona-xtradb-cluster.fc 1970-01-01 00:00:00 +0000
134+++ policy/selinux/percona-xtradb-cluster.fc 2013-03-08 16:48:44 +0000
135@@ -0,0 +1,7 @@
136+/etc/init\.d/rc\.d/mysql -- gen_context(system_u:object_r:mysqld_initrc_exec_t,s0)
137+/var/lib/mysql/.*\.log -- gen_context(system_u:object_r:mysqld_log_t,s0)
138+/var/lib/mysql/.*\.err -- gen_context(system_u:object_r:mysqld_log_t,s0)
139+/var/lib/mysql/.*\.pid -- gen_context(system_u:object_r:mysqld_var_run_t,s0)
140+/var/lib/mysql/.*\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0)
141+/usr/bin/xtrabackup.* -- gen_context(system_u:object_r:mysqld_exec_t,s0)
142+/usr/bin/wsrep.* -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
143
144=== added file 'policy/selinux/percona-xtradb-cluster.te'
145--- policy/selinux/percona-xtradb-cluster.te 1970-01-01 00:00:00 +0000
146+++ policy/selinux/percona-xtradb-cluster.te 2013-03-08 16:48:44 +0000
147@@ -0,0 +1,73 @@
148+module percona-xtradb-cluster 1.0;
149+
150+require {
151+ type user_tmp_t;
152+ type kerberos_master_port_t;
153+ type mysqld_safe_t;
154+ type tmp_t;
155+ type tmpfs_t;
156+ type hostname_exec_t;
157+ type ifconfig_exec_t;
158+ type sysctl_net_t;
159+ type proc_net_t;
160+ type port_t;
161+ type mysqld_t;
162+ type var_lib_t;
163+ type rsync_exec_t;
164+ type bin_t;
165+ type shell_exec_t;
166+ type anon_inodefs_t;
167+ type fixed_disk_device_t;
168+ class lnk_file read;
169+ class process { getattr signull };
170+ class unix_stream_socket connectto;
171+ class capability { sys_resource sys_nice };
172+ class tcp_socket { name_bind name_connect };
173+ class file { execute setattr read create getattr execute_no_trans write ioctl open append unlink };
174+ class sock_file { create unlink getattr };
175+ class blk_file { read write open };
176+ class dir { write search getattr add_name read remove_name open };
177+}
178+
179+
180+#============= mysqld_safe_t ==============
181+allow mysqld_safe_t mysqld_t:process signull;
182+allow mysqld_safe_t self:capability { sys_resource sys_nice };
183+allow mysqld_safe_t tmp_t:file { create read write open getattr unlink ioctl setattr };
184+allow mysqld_safe_t tmp_t:dir { write remove_name add_name };
185+allow mysqld_safe_t tmp_t:sock_file { getattr unlink };
186+allow mysqld_safe_t user_tmp_t:sock_file { getattr unlink };
187+allow mysqld_safe_t var_lib_t:dir { write add_name };
188+allow mysqld_safe_t var_lib_t:file { write ioctl setattr create open getattr append unlink };
189+
190+#============= mysqld_t ==============
191+allow mysqld_t anon_inodefs_t:file write;
192+allow mysqld_t tmp_t:sock_file { create unlink };
193+allow mysqld_t tmpfs_t:dir { write search read remove_name open add_name };
194+allow mysqld_t tmpfs_t:file { write getattr read create unlink open };
195+allow mysqld_t fixed_disk_device_t:blk_file { read write open };
196+allow mysqld_t ifconfig_exec_t:file { read execute open execute_no_trans getattr };
197+
198+#This rule allows connecting on 4444/4567/4568
199+allow mysqld_t kerberos_master_port_t:tcp_socket { name_bind name_connect };
200+
201+allow mysqld_t mysqld_safe_t:dir { getattr search };
202+allow mysqld_t mysqld_safe_t:file { read open };
203+allow mysqld_t self:unix_stream_socket connectto;
204+allow mysqld_t port_t:tcp_socket { name_bind name_connect };
205+allow mysqld_t proc_net_t:file { read getattr open };
206+allow mysqld_t sysctl_net_t:dir search;
207+allow mysqld_t var_lib_t:file { getattr open append };
208+allow mysqld_t var_lib_t:sock_file { create unlink getattr };
209+allow mysqld_t rsync_exec_t:file { read getattr open execute execute_no_trans };
210+allow mysqld_t self:process getattr;
211+allow mysqld_t hostname_exec_t:file { read getattr execute open execute_no_trans };
212+allow mysqld_t user_tmp_t:dir { write add_name };
213+allow mysqld_t user_tmp_t:file create;
214+allow mysqld_t bin_t:lnk_file read;
215+allow mysqld_t tmp_t:file { append create read write open getattr unlink setattr };
216+
217+# Allows too much leeway - the xtrabackup/wsrep rules in fc should fix it, but
218+# keep for the moment.
219+allow mysqld_t shell_exec_t:file { execute_no_trans getattr read execute open };
220+allow mysqld_t bin_t:file { getattr read execute open execute_no_trans ioctl };

Subscribers

People subscribed via source and target branches