Hi Daniel! On Fri, Jun 19, 2015 at 2:11 AM, Daniel Black <daniel.black@openquery.com.au
wrote:
Nice work.
https://mariadb.atlassian.net/browse/MDEV-7637 has some netlink_audit_socket rules that don't appear to be here.
No, I did not try PAM.
Recommend contributing the selinux component to https://github.com/TresysTechnology/refpolicy which distros usually develop their policies from.
Sure, that's a good idea. I will wait for sometime for the policies to stabilize and then open a pull request. There are some version specific changes that we need to sort out. For instance, tram_port_t (tcp/4567) is defined in CentOS 7.0 and not in Centos 6.5. And similar stuff.
Does this work for galera multicast? It appears to only allow tcp bind here.
No it didn't. :) I have a patch ready for this now.
note for readme semanage permissive -a mysqld_t - less of a change for enabling just that domain to be permissive.
Yep, I have updated the README.
Does any of https://mariadb.com/kb/en/mariadb/what-to-do-if-mariadb-doesnt-start/ need changing?
It looks good, don't think we need to update it to reflect any change related to this. Thanks! -- Nirbhay
----- On 18 Jun, 2015, at 11:59 PM, Nirbhay Choubey nirbhay@mariadb.com wrote:
revision-id: 6050ab658696925f2a031b901eb398fff65fa92a parent(s): 9eff9ed5c58e782abf383a52a7e691a55b4798a2 committer: Nirbhay Choubey branch nick: 5.5-galera timestamp: 2015-06-18 09:59:09 -0400 message:
MDEV-6829 : SELinux/AppArmor policies for Galera server
Add SELinux policy and AppArmor profile under policy/.
--- policy/apparmor/README | 5 ++ policy/apparmor/usr.sbin.mysqld | 150 ++++++++++++++++++++++++++++++++++ policy/apparmor/usr.sbin.mysqld.local | 4 + policy/selinux/README | 18 ++++ policy/selinux/mariadb-server.fc | 10 +++ policy/selinux/mariadb-server.te | 91 +++++++++++++++++++++ 6 files changed, 278 insertions(+)
diff --git a/policy/apparmor/README b/policy/apparmor/README new file mode 100644 index 0000000..271655f --- /dev/null +++ b/policy/apparmor/README @@ -0,0 +1,5 @@ +Note: The included AppArmor profiles can be used for MariaDB Galera cluster. +However, since these profiles had been tested for a limited set of scenarios, +it is highly recommended to run them in "complain" mode and report any denials +on mariadb.org/jira. + diff --git a/policy/apparmor/usr.sbin.mysqld b/policy/apparmor/usr.sbin.mysqld new file mode 100644 index 0000000..307872c --- /dev/null +++ b/policy/apparmor/usr.sbin.mysqld @@ -0,0 +1,150 @@ +# Last Modified: Fri Mar 1 18:55:47 2013 +# Based on usr.sbin.mysqld packaged in mysql-server in Ubuntu. +# This AppArmor profile has been copied under BSD License from +# Percona XtraDB Cluster, along with some additions. + +#include <tunables/global> + +/usr/sbin/mysqld flags=(complain) { + #include <abstractions/base> + #include <abstractions/mysql> + #include <abstractions/nameservice> + #include <abstractions/user-tmp> + #include <abstractions/winbind> + + capability chown, + capability dac_override, + capability setgid, + capability setuid, + capability sys_rawio, + capability sys_resource, + + network tcp, + + /bin/dash rcx, + /dev/dm-0 r, + /etc/gai.conf r, + /etc/group r, + /etc/hosts.allow r, + /etc/hosts.deny r, + /etc/ld.so.cache r, + /etc/mtab r, + /etc/my.cnf r, + /etc/mysql/*.cnf r, + /etc/mysql/*.pem r, + /etc/mysql/conf.d/ r, + /etc/mysql/conf.d/* r, + /etc/nsswitch.conf r, + /etc/passwd r, + /etc/services r, + /run/mysqld/mysqld.pid w, + /run/mysqld/mysqld.sock w, + /sys/devices/system/cpu/ r, + owner /tmp/** lk, + /tmp/** rw, + /usr/lib/mysql/plugin/ r, + /usr/lib/mysql/plugin/*.so* mr, + /usr/sbin/mysqld mr, + /usr/share/mysql/** r, + /var/lib/mysql/ r, + /var/lib/mysql/** rwk, + /var/log/mysql.err rw, + /var/log/mysql.log rw, + /var/log/mysql/ r, + /var/log/mysql/* rw, + /var/run/mysqld/mysqld.pid w, + /var/run/mysqld/mysqld.sock w, + + + profile /bin/dash flags=(complain) { + #include <abstractions/base> + #include <abstractions/bash> + #include <abstractions/mysql> + #include <abstractions/nameservice> + #include <abstractions/perl> + + + + /bin/cat rix, + /bin/dash rix, + /bin/date rix, + /bin/grep rix, + /bin/nc.openbsd rix, + /bin/netstat rix, + /bin/ps rix, + /bin/rm rix, + /bin/sed rix, + /bin/sleep rix, + /bin/tar rix, + /bin/which rix, + /dev/tty rw, + /etc/ld.so.cache r, + /etc/my.cnf r, + /proc/ r, + /proc/*/cmdline r, + /proc/*/fd/ r, + /proc/*/net/dev r, + /proc/*/net/if_inet6 r, + /proc/*/net/tcp r, + /proc/*/net/tcp6 r, + /proc/*/stat r, + /proc/*/status r, + /proc/sys/kernel/pid_max r, + /proc/tty/drivers r, + /proc/uptime r, + /proc/version r, + /sbin/ifconfig rix, + /sys/devices/system/cpu/ r, + /tmp/** rw, + /usr/bin/cut rix, + /usr/bin/dirname rix, + /usr/bin/gawk rix, + /usr/bin/innobackupex rix, + /usr/bin/mysql rix, + /usr/bin/perl rix, + /usr/bin/seq rix, + /usr/bin/wsrep_sst* rix, + /usr/bin/wsrep_sst_common r, + /usr/bin/xtrabackup* rix, + /var/lib/mysql/ r, + /var/lib/mysql/** rw, + /var/lib/mysql/*.log w, + /var/lib/mysql/*.err w, + +# MariaDB additions + ptrace peer=@{profile_name}, + + /bin/hostname rix, + /bin/ip rix, + /bin/mktemp rix, + /bin/ss rix, + /bin/sync rix, + /bin/touch rix, + /bin/uname rix, + /etc/mysql/*.cnf r, + /etc/mysql/conf.d/ r, + /etc/mysql/conf.d/* r, + /proc/*/attr/current r, + /proc/*/fdinfo/* r, + /proc/*/net/* r, + /proc/locks r, + /proc/sys/net/ipv4/ip_local_port_range r, + /run/mysqld/mysqld.sock rw, + /sbin/ip rix, + /usr/bin/basename rix, + /usr/bin/du rix, + /usr/bin/find rix, + /usr/bin/lsof rix, + /usr/bin/my_print_defaults rix, + /usr/bin/mysqldump rix, + /usr/bin/pv rix, + /usr/bin/rsync rix, + /usr/bin/socat rix, + /usr/bin/tail rix, + /usr/bin/timeout rix, + /usr/bin/xargs rix, + /usr/bin/xbstream rix, + } + # Site-specific additions and overrides. See local/README for details. + #include <local/usr.sbin.mysqld> +} diff --git a/policy/apparmor/usr.sbin.mysqld.local b/policy/apparmor/usr.sbin.mysqld.local new file mode 100644 index 0000000..a0b8a02 --- /dev/null +++ b/policy/apparmor/usr.sbin.mysqld.local @@ -0,0 +1,4 @@ +# Site-specific additions and overrides for usr.sbin.mysqld.. +# For more details, please see /etc/apparmor.d/local/README. +# This AppArmor profile has been copied under BSD License from +# Percona XtraDB Cluster, along with some additions. diff --git a/policy/selinux/README b/policy/selinux/README new file mode 100644 index 0000000..a8c11c7 --- /dev/null +++ b/policy/selinux/README @@ -0,0 +1,18 @@ +Note: The included SELinux policy files can be used for MariaDB Galera cluster. +However, since these policies had been tested for a limited set of scenarios, +it is highly recommended to run SELinux in "permissive" mode even with these +policies installed and report any denials on mariadb.org/jira. + + +How to generate and load the policy module of MariaDB Galera cluster ? + +* Generate the SELinux policy module. + # cd <source>/policy/selinux/ + # make -f /usr/share/selinux/devel/Makefile mariadb-server.pp + +* Load the generated policy module. + # semodule -i /path/to/mariadb-server.pp + +* Lastly, run the following command to allow 4568. + # semanage port -a -t mysqld_port_t -p tcp 4568 + diff --git a/policy/selinux/mariadb-server.fc b/policy/selinux/mariadb-server.fc new file mode 100644 index 0000000..1a69ecc --- /dev/null +++ b/policy/selinux/mariadb-server.fc @@ -0,0 +1,10 @@ +# This SELinux file contexts (.fc) file has been copied under BSD License from +# Percona XtraDB Cluster. + +/etc/init\.d/rc\.d/mysql -- gen_context(system_u:object_r:mysqld_initrc_exec_t,s0) +/var/lib/mysql/.*\.log -- gen_context(system_u:object_r:mysqld_log_t,s0) +/var/lib/mysql/.*\.err -- gen_context(system_u:object_r:mysqld_log_t,s0) +/var/lib/mysql/.*\.pid -- gen_context(system_u:object_r:mysqld_var_run_t,s0) +/var/lib/mysql/.*\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0) +/usr/bin/xtrabackup.* -- gen_context(system_u:object_r:mysqld_exec_t,s0) +/usr/bin/wsrep.* -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0) diff --git a/policy/selinux/mariadb-server.te b/policy/selinux/mariadb-server.te new file mode 100644 index 0000000..9c0319c --- /dev/null +++ b/policy/selinux/mariadb-server.te @@ -0,0 +1,91 @@ +# This SELinux type enforcement (.te) file has been copied under BSD License +# from Percona XtraDB Cluster, along with some additions. + +module mariadb-server 1.0; + +require { + type user_tmp_t; + type kerberos_port_t; + type mysqld_safe_t; + type tmp_t; + type tmpfs_t; + type hostname_exec_t; + type ifconfig_exec_t; + type sysctl_net_t; + type proc_net_t; + type port_t; + type mysqld_t; + type var_lib_t; + type rsync_exec_t; + type bin_t; + type shell_exec_t; + type anon_inodefs_t; + type fixed_disk_device_t; + class lnk_file read; + class process { getattr signull }; + class unix_stream_socket connectto; + class capability { sys_resource sys_nice }; + class tcp_socket { name_bind name_connect }; + class file { execute setattr read create getattr execute_no_trans write ioctl open append unlink }; + class sock_file { create unlink getattr }; + class blk_file { read write open }; + class dir { write search getattr add_name read remove_name open }; + +# MariaDB additions + type tram_port_t; + class process setpgid; + class netlink_tcpdiag_socket { create nlmsg_read }; +} + + +#============= mysqld_safe_t ============== +allow mysqld_safe_t mysqld_t:process signull; +allow mysqld_safe_t self:capability { sys_resource sys_nice }; +allow mysqld_safe_t tmp_t:file { create read write open getattr unlink ioctl setattr }; +allow mysqld_safe_t tmp_t:dir { write remove_name add_name }; +allow mysqld_safe_t tmp_t:sock_file { getattr unlink }; +allow mysqld_safe_t user_tmp_t:sock_file { getattr unlink }; +allow mysqld_safe_t var_lib_t:dir { write add_name }; +allow mysqld_safe_t var_lib_t:file { write ioctl setattr create open getattr append unlink }; + +#============= mysqld_t ============== +allow mysqld_t anon_inodefs_t:file write; +allow mysqld_t tmp_t:sock_file { create unlink }; +allow mysqld_t tmpfs_t:dir { write search read remove_name open add_name }; +allow mysqld_t tmpfs_t:file { write getattr read create unlink open }; +allow mysqld_t fixed_disk_device_t:blk_file { read write open }; +allow mysqld_t ifconfig_exec_t:file { read execute open execute_no_trans getattr }; + +#This rule allows connecting on 4444 +allow mysqld_t kerberos_port_t:tcp_socket { name_bind name_connect }; + +allow mysqld_t mysqld_safe_t:dir { getattr search }; +allow mysqld_t mysqld_safe_t:file { read open }; +allow mysqld_t self:unix_stream_socket connectto; +allow mysqld_t port_t:tcp_socket { name_bind name_connect }; +allow mysqld_t proc_net_t:file { read getattr open }; +allow mysqld_t sysctl_net_t:dir search; +allow mysqld_t var_lib_t:file { getattr open append }; +allow mysqld_t var_lib_t:sock_file { create unlink getattr }; +allow mysqld_t rsync_exec_t:file { read getattr open execute execute_no_trans }; +allow mysqld_t self:process getattr; +allow mysqld_t hostname_exec_t:file { read getattr execute open execute_no_trans }; +allow mysqld_t user_tmp_t:dir { write add_name }; +allow mysqld_t user_tmp_t:file create; +allow mysqld_t bin_t:lnk_file read; +allow mysqld_t tmp_t:file { append create read write open getattr unlink setattr }; + +# Allows too much leeway - the xtrabackup/wsrep rules in fc should fix it, but +# keep for the moment. +allow mysqld_t shell_exec_t:file { execute_no_trans getattr read execute open }; +allow mysqld_t bin_t:file { getattr read execute open execute_no_trans ioctl }; + +# MariaDB additions +allow mysqld_t self:process setpgid; +# This rule allows port 4567 +allow mysqld_t tram_port_t:tcp_socket name_bind; + +# Rules related to XtraBackup +allow mysqld_t self:netlink_tcpdiag_socket { create nlmsg_read }; +allow mysqld_t sysctl_net_t:file { read getattr open }; + _______________________________________________ commits mailing list commits@mariadb.org https://lists.askmonty.org/cgi-bin/mailman/listinfo/commits
-- -- Daniel Black, Engineer @ Open Query (http://openquery.com.au) Remote expertise & maintenance for MySQL/MariaDB server environments.