maria-developers team mailing list archive
-
maria-developers team
-
Mailing list archive
-
Message #08746
Re: [Commits] 6050ab6: MDEV-6829 : SELinux/AppArmor policies for Galera server
Hi Daniel!
On Fri, Jun 19, 2015 at 2:11 AM, Daniel Black <daniel.black@xxxxxxxxxxxxxxxx
> wrote:
> Nice work.
>
> https://mariadb.atlassian.net/browse/MDEV-7637 has some
> netlink_audit_socket rules that don't appear to be here.
>
No, I did not try PAM.
> Recommend contributing the selinux component to
> https://github.com/TresysTechnology/refpolicy which distros usually
> develop their policies from.
>
Sure, that's a good idea. I will wait for sometime for the policies to
stabilize and then open a pull request.
There are some version specific changes that we need to sort out. For
instance, tram_port_t (tcp/4567)
is defined in CentOS 7.0 and not in Centos 6.5. And similar stuff.
> Does this work for galera multicast? It appears to only allow tcp bind
> here.
>
No it didn't. :) I have a patch ready for this now.
>
> note for readme semanage permissive -a mysqld_t - less of a change for
> enabling just that domain to be permissive.
>
Yep, I have updated the README.
>
> Does any of
> https://mariadb.com/kb/en/mariadb/what-to-do-if-mariadb-doesnt-start/
> need changing?
>
It looks good, don't think we need to update it to reflect any change
related to this.
Thanks!
-- Nirbhay
>
>
> ----- On 18 Jun, 2015, at 11:59 PM, Nirbhay Choubey nirbhay@xxxxxxxxxxx
> wrote:
>
> > revision-id: 6050ab658696925f2a031b901eb398fff65fa92a
> > parent(s): 9eff9ed5c58e782abf383a52a7e691a55b4798a2
> > committer: Nirbhay Choubey
> > branch nick: 5.5-galera
> > timestamp: 2015-06-18 09:59:09 -0400
> > message:
> >
> > MDEV-6829 : SELinux/AppArmor policies for Galera server
> >
> > Add SELinux policy and AppArmor profile under policy/.
> >
> > ---
> > policy/apparmor/README | 5 ++
> > policy/apparmor/usr.sbin.mysqld | 150
> ++++++++++++++++++++++++++++++++++
> > policy/apparmor/usr.sbin.mysqld.local | 4 +
> > policy/selinux/README | 18 ++++
> > policy/selinux/mariadb-server.fc | 10 +++
> > policy/selinux/mariadb-server.te | 91 +++++++++++++++++++++
> > 6 files changed, 278 insertions(+)
> >
> > diff --git a/policy/apparmor/README b/policy/apparmor/README
> > new file mode 100644
> > index 0000000..271655f
> > --- /dev/null
> > +++ b/policy/apparmor/README
> > @@ -0,0 +1,5 @@
> > +Note: The included AppArmor profiles can be used for MariaDB Galera
> cluster.
> > +However, since these profiles had been tested for a limited set of
> scenarios,
> > +it is highly recommended to run them in "complain" mode and report any
> denials
> > +on mariadb.org/jira.
> > +
> > diff --git a/policy/apparmor/usr.sbin.mysqld
> b/policy/apparmor/usr.sbin.mysqld
> > new file mode 100644
> > index 0000000..307872c
> > --- /dev/null
> > +++ b/policy/apparmor/usr.sbin.mysqld
> > @@ -0,0 +1,150 @@
> > +# Last Modified: Fri Mar 1 18:55:47 2013
> > +# Based on usr.sbin.mysqld packaged in mysql-server in Ubuntu.
> > +# This AppArmor profile has been copied under BSD License from
> > +# Percona XtraDB Cluster, along with some additions.
> > +
> > +#include <tunables/global>
> > +
> > +/usr/sbin/mysqld flags=(complain) {
> > + #include <abstractions/base>
> > + #include <abstractions/mysql>
> > + #include <abstractions/nameservice>
> > + #include <abstractions/user-tmp>
> > + #include <abstractions/winbind>
> > +
> > + capability chown,
> > + capability dac_override,
> > + capability setgid,
> > + capability setuid,
> > + capability sys_rawio,
> > + capability sys_resource,
> > +
> > + network tcp,
> > +
> > + /bin/dash rcx,
> > + /dev/dm-0 r,
> > + /etc/gai.conf r,
> > + /etc/group r,
> > + /etc/hosts.allow r,
> > + /etc/hosts.deny r,
> > + /etc/ld.so.cache r,
> > + /etc/mtab r,
> > + /etc/my.cnf r,
> > + /etc/mysql/*.cnf r,
> > + /etc/mysql/*.pem r,
> > + /etc/mysql/conf.d/ r,
> > + /etc/mysql/conf.d/* r,
> > + /etc/nsswitch.conf r,
> > + /etc/passwd r,
> > + /etc/services r,
> > + /run/mysqld/mysqld.pid w,
> > + /run/mysqld/mysqld.sock w,
> > + /sys/devices/system/cpu/ r,
> > + owner /tmp/** lk,
> > + /tmp/** rw,
> > + /usr/lib/mysql/plugin/ r,
> > + /usr/lib/mysql/plugin/*.so* mr,
> > + /usr/sbin/mysqld mr,
> > + /usr/share/mysql/** r,
> > + /var/lib/mysql/ r,
> > + /var/lib/mysql/** rwk,
> > + /var/log/mysql.err rw,
> > + /var/log/mysql.log rw,
> > + /var/log/mysql/ r,
> > + /var/log/mysql/* rw,
> > + /var/run/mysqld/mysqld.pid w,
> > + /var/run/mysqld/mysqld.sock w,
> > +
> > +
> > + profile /bin/dash flags=(complain) {
> > + #include <abstractions/base>
> > + #include <abstractions/bash>
> > + #include <abstractions/mysql>
> > + #include <abstractions/nameservice>
> > + #include <abstractions/perl>
> > +
> > +
> > +
> > + /bin/cat rix,
> > + /bin/dash rix,
> > + /bin/date rix,
> > + /bin/grep rix,
> > + /bin/nc.openbsd rix,
> > + /bin/netstat rix,
> > + /bin/ps rix,
> > + /bin/rm rix,
> > + /bin/sed rix,
> > + /bin/sleep rix,
> > + /bin/tar rix,
> > + /bin/which rix,
> > + /dev/tty rw,
> > + /etc/ld.so.cache r,
> > + /etc/my.cnf r,
> > + /proc/ r,
> > + /proc/*/cmdline r,
> > + /proc/*/fd/ r,
> > + /proc/*/net/dev r,
> > + /proc/*/net/if_inet6 r,
> > + /proc/*/net/tcp r,
> > + /proc/*/net/tcp6 r,
> > + /proc/*/stat r,
> > + /proc/*/status r,
> > + /proc/sys/kernel/pid_max r,
> > + /proc/tty/drivers r,
> > + /proc/uptime r,
> > + /proc/version r,
> > + /sbin/ifconfig rix,
> > + /sys/devices/system/cpu/ r,
> > + /tmp/** rw,
> > + /usr/bin/cut rix,
> > + /usr/bin/dirname rix,
> > + /usr/bin/gawk rix,
> > + /usr/bin/innobackupex rix,
> > + /usr/bin/mysql rix,
> > + /usr/bin/perl rix,
> > + /usr/bin/seq rix,
> > + /usr/bin/wsrep_sst* rix,
> > + /usr/bin/wsrep_sst_common r,
> > + /usr/bin/xtrabackup* rix,
> > + /var/lib/mysql/ r,
> > + /var/lib/mysql/** rw,
> > + /var/lib/mysql/*.log w,
> > + /var/lib/mysql/*.err w,
> > +
> > +# MariaDB additions
> > + ptrace peer=@{profile_name},
> > +
> > + /bin/hostname rix,
> > + /bin/ip rix,
> > + /bin/mktemp rix,
> > + /bin/ss rix,
> > + /bin/sync rix,
> > + /bin/touch rix,
> > + /bin/uname rix,
> > + /etc/mysql/*.cnf r,
> > + /etc/mysql/conf.d/ r,
> > + /etc/mysql/conf.d/* r,
> > + /proc/*/attr/current r,
> > + /proc/*/fdinfo/* r,
> > + /proc/*/net/* r,
> > + /proc/locks r,
> > + /proc/sys/net/ipv4/ip_local_port_range r,
> > + /run/mysqld/mysqld.sock rw,
> > + /sbin/ip rix,
> > + /usr/bin/basename rix,
> > + /usr/bin/du rix,
> > + /usr/bin/find rix,
> > + /usr/bin/lsof rix,
> > + /usr/bin/my_print_defaults rix,
> > + /usr/bin/mysqldump rix,
> > + /usr/bin/pv rix,
> > + /usr/bin/rsync rix,
> > + /usr/bin/socat rix,
> > + /usr/bin/tail rix,
> > + /usr/bin/timeout rix,
> > + /usr/bin/xargs rix,
> > + /usr/bin/xbstream rix,
> > + }
> > + # Site-specific additions and overrides. See local/README for details.
> > + #include <local/usr.sbin.mysqld>
> > +}
> > diff --git a/policy/apparmor/usr.sbin.mysqld.local
> > b/policy/apparmor/usr.sbin.mysqld.local
> > new file mode 100644
> > index 0000000..a0b8a02
> > --- /dev/null
> > +++ b/policy/apparmor/usr.sbin.mysqld.local
> > @@ -0,0 +1,4 @@
> > +# Site-specific additions and overrides for usr.sbin.mysqld..
> > +# For more details, please see /etc/apparmor.d/local/README.
> > +# This AppArmor profile has been copied under BSD License from
> > +# Percona XtraDB Cluster, along with some additions.
> > diff --git a/policy/selinux/README b/policy/selinux/README
> > new file mode 100644
> > index 0000000..a8c11c7
> > --- /dev/null
> > +++ b/policy/selinux/README
> > @@ -0,0 +1,18 @@
> > +Note: The included SELinux policy files can be used for MariaDB Galera
> cluster.
> > +However, since these policies had been tested for a limited set of
> scenarios,
> > +it is highly recommended to run SELinux in "permissive" mode even with
> these
> > +policies installed and report any denials on mariadb.org/jira.
> > +
> > +
> > +How to generate and load the policy module of MariaDB Galera cluster ?
> > +
> > +* Generate the SELinux policy module.
> > + # cd <source>/policy/selinux/
> > + # make -f /usr/share/selinux/devel/Makefile mariadb-server.pp
> > +
> > +* Load the generated policy module.
> > + # semodule -i /path/to/mariadb-server.pp
> > +
> > +* Lastly, run the following command to allow 4568.
> > + # semanage port -a -t mysqld_port_t -p tcp 4568
> > +
> > diff --git a/policy/selinux/mariadb-server.fc
> b/policy/selinux/mariadb-server.fc
> > new file mode 100644
> > index 0000000..1a69ecc
> > --- /dev/null
> > +++ b/policy/selinux/mariadb-server.fc
> > @@ -0,0 +1,10 @@
> > +# This SELinux file contexts (.fc) file has been copied under BSD
> License from
> > +# Percona XtraDB Cluster.
> > +
> > +/etc/init\.d/rc\.d/mysql --
> > gen_context(system_u:object_r:mysqld_initrc_exec_t,s0)
> > +/var/lib/mysql/.*\.log --
> gen_context(system_u:object_r:mysqld_log_t,s0)
> > +/var/lib/mysql/.*\.err --
> gen_context(system_u:object_r:mysqld_log_t,s0)
> > +/var/lib/mysql/.*\.pid --
> gen_context(system_u:object_r:mysqld_var_run_t,s0)
> > +/var/lib/mysql/.*\.cnf --
> gen_context(system_u:object_r:mysqld_etc_t,s0)
> > +/usr/bin/xtrabackup.* -- gen_context(system_u:object_r:mysqld_exec_t,s0)
> > +/usr/bin/wsrep.* --
> gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
> > diff --git a/policy/selinux/mariadb-server.te
> b/policy/selinux/mariadb-server.te
> > new file mode 100644
> > index 0000000..9c0319c
> > --- /dev/null
> > +++ b/policy/selinux/mariadb-server.te
> > @@ -0,0 +1,91 @@
> > +# This SELinux type enforcement (.te) file has been copied under BSD
> License
> > +# from Percona XtraDB Cluster, along with some additions.
> > +
> > +module mariadb-server 1.0;
> > +
> > +require {
> > + type user_tmp_t;
> > + type kerberos_port_t;
> > + type mysqld_safe_t;
> > + type tmp_t;
> > + type tmpfs_t;
> > + type hostname_exec_t;
> > + type ifconfig_exec_t;
> > + type sysctl_net_t;
> > + type proc_net_t;
> > + type port_t;
> > + type mysqld_t;
> > + type var_lib_t;
> > + type rsync_exec_t;
> > + type bin_t;
> > + type shell_exec_t;
> > + type anon_inodefs_t;
> > + type fixed_disk_device_t;
> > + class lnk_file read;
> > + class process { getattr signull };
> > + class unix_stream_socket connectto;
> > + class capability { sys_resource sys_nice };
> > + class tcp_socket { name_bind name_connect };
> > + class file { execute setattr read create getattr execute_no_trans
> write ioctl
> > open append unlink };
> > + class sock_file { create unlink getattr };
> > + class blk_file { read write open };
> > + class dir { write search getattr add_name read remove_name open };
> > +
> > +# MariaDB additions
> > + type tram_port_t;
> > + class process setpgid;
> > + class netlink_tcpdiag_socket { create nlmsg_read };
> > +}
> > +
> > +
> > +#============= mysqld_safe_t ==============
> > +allow mysqld_safe_t mysqld_t:process signull;
> > +allow mysqld_safe_t self:capability { sys_resource sys_nice };
> > +allow mysqld_safe_t tmp_t:file { create read write open getattr unlink
> ioctl
> > setattr };
> > +allow mysqld_safe_t tmp_t:dir { write remove_name add_name };
> > +allow mysqld_safe_t tmp_t:sock_file { getattr unlink };
> > +allow mysqld_safe_t user_tmp_t:sock_file { getattr unlink };
> > +allow mysqld_safe_t var_lib_t:dir { write add_name };
> > +allow mysqld_safe_t var_lib_t:file { write ioctl setattr create open
> getattr
> > append unlink };
> > +
> > +#============= mysqld_t ==============
> > +allow mysqld_t anon_inodefs_t:file write;
> > +allow mysqld_t tmp_t:sock_file { create unlink };
> > +allow mysqld_t tmpfs_t:dir { write search read remove_name open
> add_name };
> > +allow mysqld_t tmpfs_t:file { write getattr read create unlink open };
> > +allow mysqld_t fixed_disk_device_t:blk_file { read write open };
> > +allow mysqld_t ifconfig_exec_t:file { read execute open execute_no_trans
> > getattr };
> > +
> > +#This rule allows connecting on 4444
> > +allow mysqld_t kerberos_port_t:tcp_socket { name_bind name_connect };
> > +
> > +allow mysqld_t mysqld_safe_t:dir { getattr search };
> > +allow mysqld_t mysqld_safe_t:file { read open };
> > +allow mysqld_t self:unix_stream_socket connectto;
> > +allow mysqld_t port_t:tcp_socket { name_bind name_connect };
> > +allow mysqld_t proc_net_t:file { read getattr open };
> > +allow mysqld_t sysctl_net_t:dir search;
> > +allow mysqld_t var_lib_t:file { getattr open append };
> > +allow mysqld_t var_lib_t:sock_file { create unlink getattr };
> > +allow mysqld_t rsync_exec_t:file { read getattr open execute
> execute_no_trans
> > };
> > +allow mysqld_t self:process getattr;
> > +allow mysqld_t hostname_exec_t:file { read getattr execute open
> > execute_no_trans };
> > +allow mysqld_t user_tmp_t:dir { write add_name };
> > +allow mysqld_t user_tmp_t:file create;
> > +allow mysqld_t bin_t:lnk_file read;
> > +allow mysqld_t tmp_t:file { append create read write open getattr unlink
> > setattr };
> > +
> > +# Allows too much leeway - the xtrabackup/wsrep rules in fc should fix
> it, but
> > +# keep for the moment.
> > +allow mysqld_t shell_exec_t:file { execute_no_trans getattr read
> execute open
> > };
> > +allow mysqld_t bin_t:file { getattr read execute open execute_no_trans
> ioctl };
> > +
> > +# MariaDB additions
> > +allow mysqld_t self:process setpgid;
> > +# This rule allows port 4567
> > +allow mysqld_t tram_port_t:tcp_socket name_bind;
> > +
> > +# Rules related to XtraBackup
> > +allow mysqld_t self:netlink_tcpdiag_socket { create nlmsg_read };
> > +allow mysqld_t sysctl_net_t:file { read getattr open };
> > +
> > _______________________________________________
> > commits mailing list
> > commits@xxxxxxxxxxx
> > https://lists.askmonty.org/cgi-bin/mailman/listinfo/commits
>
> --
> --
> Daniel Black, Engineer @ Open Query (http://openquery.com.au)
> Remote expertise & maintenance for MySQL/MariaDB server environments.
>
References
