Nice work.
https://mariadb.atlassian.net/browse/MDEV-7637 has some netlink_audit_socket rules that don't appear to be here.
Recommend contributing the selinux component to https://github.com/TresysTechnology/refpolicy which distros usually develop their policies from.
Does this work for galera multicast? It appears to only allow tcp bind here.
note for readme semanage permissive -a mysqld_t - less of a change for enabling just that domain to be permissive.
Does any of https://mariadb.com/kb/en/mariadb/what-to-do-if-mariadb-doesnt-start/ need changing?
----- On 18 Jun, 2015, at 11:59 PM, Nirbhay Choubey nirbhay@mariadb.com wrote:
> revision-id: 6050ab658696925f2a031b901eb398fff65fa92a
> parent(s): 9eff9ed5c58e782abf383a52a7e691a55b4798a2
> committer: Nirbhay Choubey
> branch nick: 5.5-galera
> timestamp: 2015-06-18 09:59:09 -0400
> message:
>
> MDEV-6829 : SELinux/AppArmor policies for Galera server
>
> Add SELinux policy and AppArmor profile under policy/.
>
> ---
> policy/apparmor/README | 5 ++
> policy/apparmor/usr.sbin.mysqld | 150 ++++++++++++++++++++++++++++++++++
> policy/apparmor/usr.sbin.mysqld.local | 4 +
> policy/selinux/README | 18 ++++
> policy/selinux/mariadb-server.fc | 10 +++
> policy/selinux/mariadb-server.te | 91 +++++++++++++++++++++
> 6 files changed, 278 insertions(+)
>
> diff --git a/policy/apparmor/README b/policy/apparmor/README
> new file mode 100644
> index 0000000..271655f
> --- /dev/null
> +++ b/policy/apparmor/README
> @@ -0,0 +1,5 @@
> +Note: The included AppArmor profiles can be used for MariaDB Galera cluster.
> +However, since these profiles had been tested for a limited set of scenarios,
> +it is highly recommended to run them in "complain" mode and report any denials
> +on mariadb.org/jira.
> +
> diff --git a/policy/apparmor/usr.sbin.mysqld b/policy/apparmor/usr.sbin.mysqld
> new file mode 100644
> index 0000000..307872c
> --- /dev/null
> +++ b/policy/apparmor/usr.sbin.mysqld
> @@ -0,0 +1,150 @@
> +# Last Modified: Fri Mar 1 18:55:47 2013
> +# Based on usr.sbin.mysqld packaged in mysql-server in Ubuntu.
> +# This AppArmor profile has been copied under BSD License from
> +# Percona XtraDB Cluster, along with some additions.
> +
> +#include <tunables/global>
> +
> +/usr/sbin/mysqld flags=(complain) {
> + #include <abstractions/base>
> + #include <abstractions/mysql>
> + #include <abstractions/nameservice>
> + #include <abstractions/user-tmp>
> + #include <abstractions/winbind>
> +
> + capability chown,
> + capability dac_override,
> + capability setgid,
> + capability setuid,
> + capability sys_rawio,
> + capability sys_resource,
> +
> + network tcp,
> +
> + /bin/dash rcx,
> + /dev/dm-0 r,
> + /etc/gai.conf r,
> + /etc/group r,
> + /etc/hosts.allow r,
> + /etc/hosts.deny r,
> + /etc/ld.so.cache r,
> + /etc/mtab r,
> + /etc/my.cnf r,
> + /etc/mysql/*.cnf r,
> + /etc/mysql/*.pem r,
> + /etc/mysql/conf.d/ r,
> + /etc/mysql/conf.d/* r,
> + /etc/nsswitch.conf r,
> + /etc/passwd r,
> + /etc/services r,
> + /run/mysqld/mysqld.pid w,
> + /run/mysqld/mysqld.sock w,
> + /sys/devices/system/cpu/ r,
> + owner /tmp/** lk,
> + /tmp/** rw,
> + /usr/lib/mysql/plugin/ r,
> + /usr/lib/mysql/plugin/*.so* mr,
> + /usr/sbin/mysqld mr,
> + /usr/share/mysql/** r,
> + /var/lib/mysql/ r,
> + /var/lib/mysql/** rwk,
> + /var/log/mysql.err rw,
> + /var/log/mysql.log rw,
> + /var/log/mysql/ r,
> + /var/log/mysql/* rw,
> + /var/run/mysqld/mysqld.pid w,
> + /var/run/mysqld/mysqld.sock w,
> +
> +
> + profile /bin/dash flags=(complain) {
> + #include <abstractions/base>
> + #include <abstractions/bash>
> + #include <abstractions/mysql>
> + #include <abstractions/nameservice>
> + #include <abstractions/perl>
> +
> +
> +
> + /bin/cat rix,
> + /bin/dash rix,
> + /bin/date rix,
> + /bin/grep rix,
> + /bin/nc.openbsd rix,
> + /bin/netstat rix,
> + /bin/ps rix,
> + /bin/rm rix,
> + /bin/sed rix,
> + /bin/sleep rix,
> + /bin/tar rix,
> + /bin/which rix,
> + /dev/tty rw,
> + /etc/ld.so.cache r,
> + /etc/my.cnf r,
> + /proc/ r,
> + /proc/*/cmdline r,
> + /proc/*/fd/ r,
> + /proc/*/net/dev r,
> + /proc/*/net/if_inet6 r,
> + /proc/*/net/tcp r,
> + /proc/*/net/tcp6 r,
> + /proc/*/stat r,
> + /proc/*/status r,
> + /proc/sys/kernel/pid_max r,
> + /proc/tty/drivers r,
> + /proc/uptime r,
> + /proc/version r,
> + /sbin/ifconfig rix,
> + /sys/devices/system/cpu/ r,
> + /tmp/** rw,
> + /usr/bin/cut rix,
> + /usr/bin/dirname rix,
> + /usr/bin/gawk rix,
> + /usr/bin/innobackupex rix,
> + /usr/bin/mysql rix,
> + /usr/bin/perl rix,
> + /usr/bin/seq rix,
> + /usr/bin/wsrep_sst* rix,
> + /usr/bin/wsrep_sst_common r,
> + /usr/bin/xtrabackup* rix,
> + /var/lib/mysql/ r,
> + /var/lib/mysql/** rw,
> + /var/lib/mysql/*.log w,
> + /var/lib/mysql/*.err w,
> +
> +# MariaDB additions
> + ptrace peer=@{profile_name},
> +
> + /bin/hostname rix,
> + /bin/ip rix,
> + /bin/mktemp rix,
> + /bin/ss rix,
> + /bin/sync rix,
> + /bin/touch rix,
> + /bin/uname rix,
> + /etc/mysql/*.cnf r,
> + /etc/mysql/conf.d/ r,
> + /etc/mysql/conf.d/* r,
> + /proc/*/attr/current r,
> + /proc/*/fdinfo/* r,
> + /proc/*/net/* r,
> + /proc/locks r,
> + /proc/sys/net/ipv4/ip_local_port_range r,
> + /run/mysqld/mysqld.sock rw,
> + /sbin/ip rix,
> + /usr/bin/basename rix,
> + /usr/bin/du rix,
> + /usr/bin/find rix,
> + /usr/bin/lsof rix,
> + /usr/bin/my_print_defaults rix,
> + /usr/bin/mysqldump rix,
> + /usr/bin/pv rix,
> + /usr/bin/rsync rix,
> + /usr/bin/socat rix,
> + /usr/bin/tail rix,
> + /usr/bin/timeout rix,
> + /usr/bin/xargs rix,
> + /usr/bin/xbstream rix,
> + }
> + # Site-specific additions and overrides. See local/README for details.
> + #include <local/usr.sbin.mysqld>
> +}
> diff --git a/policy/apparmor/usr.sbin.mysqld.local
> b/policy/apparmor/usr.sbin.mysqld.local
> new file mode 100644
> index 0000000..a0b8a02
> --- /dev/null
> +++ b/policy/apparmor/usr.sbin.mysqld.local
> @@ -0,0 +1,4 @@
> +# Site-specific additions and overrides for usr.sbin.mysqld..
> +# For more details, please see /etc/apparmor.d/local/README.
> +# This AppArmor profile has been copied under BSD License from
> +# Percona XtraDB Cluster, along with some additions.
> diff --git a/policy/selinux/README b/policy/selinux/README
> new file mode 100644
> index 0000000..a8c11c7
> --- /dev/null
> +++ b/policy/selinux/README
> @@ -0,0 +1,18 @@
> +Note: The included SELinux policy files can be used for MariaDB Galera cluster.
> +However, since these policies had been tested for a limited set of scenarios,
> +it is highly recommended to run SELinux in "permissive" mode even with these
> +policies installed and report any denials on mariadb.org/jira.
> +
> +
> +How to generate and load the policy module of MariaDB Galera cluster ?
> +
> +* Generate the SELinux policy module.
> + # cd <source>/policy/selinux/
> + # make -f /usr/share/selinux/devel/Makefile mariadb-server.pp
> +
> +* Load the generated policy module.
> + # semodule -i /path/to/mariadb-server.pp
> +
> +* Lastly, run the following command to allow 4568.
> + # semanage port -a -t mysqld_port_t -p tcp 4568
> +
> diff --git a/policy/selinux/mariadb-server.fc b/policy/selinux/mariadb-server.fc
> new file mode 100644
> index 0000000..1a69ecc
> --- /dev/null
> +++ b/policy/selinux/mariadb-server.fc
> @@ -0,0 +1,10 @@
> +# This SELinux file contexts (.fc) file has been copied under BSD License from
> +# Percona XtraDB Cluster.
> +
> +/etc/init\.d/rc\.d/mysql --
> gen_context(system_u:object_r:mysqld_initrc_exec_t,s0)
> +/var/lib/mysql/.*\.log -- gen_context(system_u:object_r:mysqld_log_t,s0)
> +/var/lib/mysql/.*\.err -- gen_context(system_u:object_r:mysqld_log_t,s0)
> +/var/lib/mysql/.*\.pid -- gen_context(system_u:object_r:mysqld_var_run_t,s0)
> +/var/lib/mysql/.*\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0)
> +/usr/bin/xtrabackup.* -- gen_context(system_u:object_r:mysqld_exec_t,s0)
> +/usr/bin/wsrep.* -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
> diff --git a/policy/selinux/mariadb-server.te b/policy/selinux/mariadb-server.te
> new file mode 100644
> index 0000000..9c0319c
> --- /dev/null
> +++ b/policy/selinux/mariadb-server.te
> @@ -0,0 +1,91 @@
> +# This SELinux type enforcement (.te) file has been copied under BSD License
> +# from Percona XtraDB Cluster, along with some additions.
> +
> +module mariadb-server 1.0;
> +
> +require {
> + type user_tmp_t;
> + type kerberos_port_t;
> + type mysqld_safe_t;
> + type tmp_t;
> + type tmpfs_t;
> + type hostname_exec_t;
> + type ifconfig_exec_t;
> + type sysctl_net_t;
> + type proc_net_t;
> + type port_t;
> + type mysqld_t;
> + type var_lib_t;
> + type rsync_exec_t;
> + type bin_t;
> + type shell_exec_t;
> + type anon_inodefs_t;
> + type fixed_disk_device_t;
> + class lnk_file read;
> + class process { getattr signull };
> + class unix_stream_socket connectto;
> + class capability { sys_resource sys_nice };
> + class tcp_socket { name_bind name_connect };
> + class file { execute setattr read create getattr execute_no_trans write ioctl
> open append unlink };
> + class sock_file { create unlink getattr };
> + class blk_file { read write open };
> + class dir { write search getattr add_name read remove_name open };
> +
> +# MariaDB additions
> + type tram_port_t;
> + class process setpgid;
> + class netlink_tcpdiag_socket { create nlmsg_read };
> +}
> +
> +
> +#============= mysqld_safe_t ==============
> +allow mysqld_safe_t mysqld_t:process signull;
> +allow mysqld_safe_t self:capability { sys_resource sys_nice };
> +allow mysqld_safe_t tmp_t:file { create read write open getattr unlink ioctl
> setattr };
> +allow mysqld_safe_t tmp_t:dir { write remove_name add_name };
> +allow mysqld_safe_t tmp_t:sock_file { getattr unlink };
> +allow mysqld_safe_t user_tmp_t:sock_file { getattr unlink };
> +allow mysqld_safe_t var_lib_t:dir { write add_name };
> +allow mysqld_safe_t var_lib_t:file { write ioctl setattr create open getattr
> append unlink };
> +
> +#============= mysqld_t ==============
> +allow mysqld_t anon_inodefs_t:file write;
> +allow mysqld_t tmp_t:sock_file { create unlink };
> +allow mysqld_t tmpfs_t:dir { write search read remove_name open add_name };
> +allow mysqld_t tmpfs_t:file { write getattr read create unlink open };
> +allow mysqld_t fixed_disk_device_t:blk_file { read write open };
> +allow mysqld_t ifconfig_exec_t:file { read execute open execute_no_trans
> getattr };
> +
> +#This rule allows connecting on 4444
> +allow mysqld_t kerberos_port_t:tcp_socket { name_bind name_connect };
> +
> +allow mysqld_t mysqld_safe_t:dir { getattr search };
> +allow mysqld_t mysqld_safe_t:file { read open };
> +allow mysqld_t self:unix_stream_socket connectto;
> +allow mysqld_t port_t:tcp_socket { name_bind name_connect };
> +allow mysqld_t proc_net_t:file { read getattr open };
> +allow mysqld_t sysctl_net_t:dir search;
> +allow mysqld_t var_lib_t:file { getattr open append };
> +allow mysqld_t var_lib_t:sock_file { create unlink getattr };
> +allow mysqld_t rsync_exec_t:file { read getattr open execute execute_no_trans
> };
> +allow mysqld_t self:process getattr;
> +allow mysqld_t hostname_exec_t:file { read getattr execute open
> execute_no_trans };
> +allow mysqld_t user_tmp_t:dir { write add_name };
> +allow mysqld_t user_tmp_t:file create;
> +allow mysqld_t bin_t:lnk_file read;
> +allow mysqld_t tmp_t:file { append create read write open getattr unlink
> setattr };
> +
> +# Allows too much leeway - the xtrabackup/wsrep rules in fc should fix it, but
> +# keep for the moment.
> +allow mysqld_t shell_exec_t:file { execute_no_trans getattr read execute open
> };
> +allow mysqld_t bin_t:file { getattr read execute open execute_no_trans ioctl };
> +
> +# MariaDB additions
> +allow mysqld_t self:process setpgid;
> +# This rule allows port 4567
> +allow mysqld_t tram_port_t:tcp_socket name_bind;
> +
> +# Rules related to XtraBackup
> +allow mysqld_t self:netlink_tcpdiag_socket { create nlmsg_read };
> +allow mysqld_t sysctl_net_t:file { read getattr open };
> +
> _______________________________________________
> commits mailing list
> commits@mariadb.org
> https://lists.askmonty.org/cgi-bin/mailman/listinfo/commits
--
--
Daniel Black, Engineer @ Open Query (http://openquery.com.au)
Remote expertise & maintenance for MySQL/MariaDB server environments.