Chris PeBenito 17de1b
## <summary>Policy for MySQL</summary>
Chris PeBenito 17de1b
Jeremy Solt 12a6a5
######################################
Jeremy Solt 12a6a5
## <summary>
Chris PeBenito e17261
##	Execute MySQL in the mysql domain.
Jeremy Solt 12a6a5
## </summary>
Jeremy Solt 12a6a5
## <param name="domain">
Chris PeBenito e17261
##	<summary>
Chris PeBenito e17261
##	Domain allowed access.
Chris PeBenito e17261
##	</summary>
Jeremy Solt 12a6a5
## </param>
Jeremy Solt 12a6a5
#
Jeremy Solt 12a6a5
interface(`mysql_domtrans',`
Chris PeBenito e17261
	gen_require(`
Chris PeBenito e17261
		type mysqld_t, mysqld_exec_t;
Chris PeBenito e17261
	')
Jeremy Solt 12a6a5
Chris PeBenito e17261
	domtrans_pattern($1, mysqld_exec_t, mysqld_t)
Jeremy Solt 12a6a5
')
Jeremy Solt 12a6a5
Chris PeBenito 17de1b
########################################
Chris PeBenito 17de1b
## <summary>
Chris PeBenito 17de1b
##	Send a generic signal to MySQL.
Chris PeBenito 17de1b
## </summary>
Chris PeBenito 17de1b
## <param name="domain">
Chris PeBenito 17de1b
##	<summary>
Chris PeBenito 17de1b
##	Domain allowed access.
Chris PeBenito 17de1b
##	</summary>
Chris PeBenito 17de1b
## </param>
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
interface(`mysql_signal',`
Chris PeBenito 17de1b
	gen_require(`
Chris PeBenito 17de1b
		type mysqld_t;
Chris PeBenito 17de1b
	')
Chris PeBenito 17de1b
Chris PeBenito 17de1b
	allow $1 mysqld_t:process signal;
Chris PeBenito 17de1b
')
Chris PeBenito 17de1b
Chris PeBenito 17de1b
########################################
Chris PeBenito 17de1b
## <summary>
Chris PeBenito dc1920
##	Allow the specified domain to connect to postgresql with a tcp socket.
Chris PeBenito dc1920
## </summary>
Chris PeBenito dc1920
## <param name="domain">
Chris PeBenito dc1920
##	<summary>
Chris PeBenito dc1920
##	Domain allowed access.
Chris PeBenito dc1920
##	</summary>
Chris PeBenito dc1920
## </param>
Chris PeBenito dc1920
#
Chris PeBenito dc1920
interface(`mysql_tcp_connect',`
Chris PeBenito dc1920
	gen_require(`
Chris PeBenito dc1920
		type mysqld_t;
Chris PeBenito dc1920
	')
Chris PeBenito dc1920
Chris PeBenito dc1920
	corenet_tcp_recvfrom_labeled($1, mysqld_t)
Chris PeBenito dc1920
	corenet_tcp_sendrecv_mysqld_port($1)
Chris PeBenito dc1920
	corenet_tcp_connect_mysqld_port($1)
Chris PeBenito dc1920
	corenet_sendrecv_mysqld_client_packets($1)
Chris PeBenito dc1920
')
Chris PeBenito dc1920
Chris PeBenito dc1920
########################################
Chris PeBenito dc1920
## <summary>
Chris PeBenito 17de1b
##	Connect to MySQL using a unix domain stream socket.
Chris PeBenito 17de1b
## </summary>
Chris PeBenito 17de1b
## <param name="domain">
Chris PeBenito 17de1b
##	<summary>
Chris PeBenito 17de1b
##	Domain allowed access.
Chris PeBenito 17de1b
##	</summary>
Chris PeBenito 17de1b
## </param>
Chris PeBenito bbcd3c
## <rolecap/>
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
interface(`mysql_stream_connect',`
Chris PeBenito 17de1b
	gen_require(`
Chris PeBenito 01e9e7
		type mysqld_t, mysqld_var_run_t, mysqld_db_t;
Chris PeBenito 17de1b
	')
Chris PeBenito 17de1b
Chris PeBenito 0bfccd
	stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t)
Chris PeBenito 01e9e7
	stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t)
Chris PeBenito 17de1b
')
Chris PeBenito 17de1b
Chris PeBenito 17de1b
########################################
Chris PeBenito 17de1b
## <summary>
Chris PeBenito 17de1b
##	Read MySQL configuration files.
Chris PeBenito 17de1b
## </summary>
Chris PeBenito 17de1b
## <param name="domain">
Chris PeBenito 17de1b
##	<summary>
Chris PeBenito 17de1b
##	Domain allowed access.
Chris PeBenito 17de1b
##	</summary>
Chris PeBenito 17de1b
## </param>
Chris PeBenito bbcd3c
## <rolecap/>
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
interface(`mysql_read_config',`
Chris PeBenito 17de1b
	gen_require(`
Chris PeBenito 17de1b
		type mysqld_etc_t;
Chris PeBenito 17de1b
	')
Chris PeBenito 17de1b
Chris PeBenito 82d277
	allow $1 mysqld_etc_t:dir list_dir_perms;
Chris PeBenito 82d277
	allow $1 mysqld_etc_t:file read_file_perms;
Chris PeBenito 82d277
	allow $1 mysqld_etc_t:lnk_file read_lnk_file_perms;
Chris PeBenito 17de1b
')
Chris PeBenito 17de1b
Chris PeBenito 17de1b
########################################
Chris PeBenito 17de1b
## <summary>
Chris PeBenito 17de1b
##	Search the directories that contain MySQL
Chris PeBenito 17de1b
##	database storage.
Chris PeBenito 17de1b
## </summary>
Chris PeBenito 17de1b
## <param name="domain">
Chris PeBenito 17de1b
##	<summary>
Chris PeBenito 17de1b
##	Domain allowed access.
Chris PeBenito 17de1b
##	</summary>
Chris PeBenito 17de1b
## </param>
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
# cjp: "_dir" in the name is added to clarify that this
Chris PeBenito 17de1b
# is not searching the database itself.
Chris PeBenito 17de1b
interface(`mysql_search_db',`
Chris PeBenito 17de1b
	gen_require(`
Chris PeBenito 17de1b
		type mysqld_db_t;
Chris PeBenito 17de1b
	')
Chris PeBenito 17de1b
Chris PeBenito 17de1b
	files_search_var_lib($1)
Chris PeBenito 82d277
	allow $1 mysqld_db_t:dir search_dir_perms;
Chris PeBenito 17de1b
')
Chris PeBenito 17de1b
Chris PeBenito 17de1b
########################################
Chris PeBenito 17de1b
## <summary>
Chris PeBenito 17de1b
##	Read and write to the MySQL database directory.
Chris PeBenito 17de1b
## </summary>
Chris PeBenito 17de1b
## <param name="domain">
Chris PeBenito 17de1b
##	<summary>
Chris PeBenito 17de1b
##	Domain allowed access.
Chris PeBenito 17de1b
##	</summary>
Chris PeBenito 17de1b
## </param>
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
interface(`mysql_rw_db_dirs',`
Chris PeBenito 17de1b
	gen_require(`
Chris PeBenito 17de1b
		type mysqld_db_t;
Chris PeBenito 17de1b
	')
Chris PeBenito 17de1b
Chris PeBenito 17de1b
	files_search_var_lib($1)
Chris PeBenito 17de1b
	allow $1 mysqld_db_t:dir rw_dir_perms;
Chris PeBenito 17de1b
')
Chris PeBenito 17de1b
Chris PeBenito 17de1b
########################################
Chris PeBenito 17de1b
## <summary>
Chris PeBenito 17de1b
##	Create, read, write, and delete MySQL database directories.
Chris PeBenito 17de1b
## </summary>
Chris PeBenito 17de1b
## <param name="domain">
Chris PeBenito 17de1b
##	<summary>
Chris PeBenito 17de1b
##	Domain allowed access.
Chris PeBenito 17de1b
##	</summary>
Chris PeBenito 17de1b
## </param>
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
interface(`mysql_manage_db_dirs',`
Chris PeBenito 17de1b
	gen_require(`
Chris PeBenito 17de1b
		type mysqld_db_t;
Chris PeBenito 17de1b
	')
Chris PeBenito 17de1b
Chris PeBenito 17de1b
	files_search_var_lib($1)
Chris PeBenito c0868a
	allow $1 mysqld_db_t:dir manage_dir_perms;
Chris PeBenito 17de1b
')
Chris PeBenito 17de1b
Chris PeBenito 339235
#######################################
Chris PeBenito 339235
## <summary>
Chris PeBenito 3f67f7
##	Append to the MySQL database directory.
Chris PeBenito 339235
## </summary>
Chris PeBenito 339235
## <param name="domain">
Chris PeBenito 3f67f7
##	<summary>
Chris PeBenito 3f67f7
##	Domain allowed access.
Chris PeBenito 3f67f7
##	</summary>
Chris PeBenito 339235
## </param>
Chris PeBenito 339235
#
Chris PeBenito 339235
interface(`mysql_append_db_files',`
Chris PeBenito 3f67f7
	gen_require(`
Chris PeBenito 3f67f7
		type mysqld_db_t;
Chris PeBenito 3f67f7
	')
Chris PeBenito 339235
Chris PeBenito 339235
	files_search_var_lib($1)
Chris PeBenito 339235
	append_files_pattern($1, mysqld_db_t, mysqld_db_t)
Chris PeBenito 339235
')
Chris PeBenito 339235
Chris PeBenito 339235
#######################################
Chris PeBenito 339235
## <summary>
Chris PeBenito 3f67f7
##	Read and write to the MySQL database directory.
Chris PeBenito 339235
## </summary>
Chris PeBenito 339235
## <param name="domain">
Chris PeBenito 3f67f7
##	<summary>
Chris PeBenito 3f67f7
##	Domain allowed access.
Chris PeBenito 3f67f7
##	</summary>
Chris PeBenito 339235
## </param>
Chris PeBenito 339235
#
Chris PeBenito 339235
interface(`mysql_rw_db_files',`
Chris PeBenito 3f67f7
	gen_require(`
Chris PeBenito 3f67f7
		type mysqld_db_t;
Chris PeBenito 3f67f7
	')
Chris PeBenito 339235
Chris PeBenito 3f67f7
	files_search_var_lib($1)
Chris PeBenito 339235
	rw_files_pattern($1, mysqld_db_t, mysqld_db_t)
Chris PeBenito 339235
')
Chris PeBenito 339235
Chris PeBenito 339235
#######################################
Chris PeBenito 339235
## <summary>
Chris PeBenito 3f67f7
##	Create, read, write, and delete MySQL database files.
Chris PeBenito 339235
## </summary>
Chris PeBenito 339235
## <param name="domain">
Chris PeBenito 3f67f7
##	<summary>
Chris PeBenito 3f67f7
##	Domain allowed access.
Chris PeBenito 3f67f7
##	</summary>
Chris PeBenito 339235
## </param>
Chris PeBenito 339235
#
Chris PeBenito 339235
interface(`mysql_manage_db_files',`
Chris PeBenito 3f67f7
	gen_require(`
Chris PeBenito 3f67f7
		type mysqld_db_t;
Chris PeBenito 3f67f7
	')
Chris PeBenito 339235
Chris PeBenito 3f67f7
	files_search_var_lib($1)
Chris PeBenito 3f67f7
	manage_files_pattern($1, mysqld_db_t, mysqld_db_t)
Chris PeBenito 339235
')
Chris PeBenito 339235
Chris PeBenito 17de1b
########################################
Chris PeBenito 17de1b
## <summary>
Chris PeBenito 17de1b
##	Read and write to the MySQL database
Chris PeBenito 17de1b
##	named socket.
Chris PeBenito 17de1b
## </summary>
Chris PeBenito 17de1b
## <param name="domain">
Chris PeBenito 17de1b
##	<summary>
Chris PeBenito 17de1b
##	Domain allowed access.
Chris PeBenito 17de1b
##	</summary>
Chris PeBenito 17de1b
## </param>
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
interface(`mysql_rw_db_sockets',`
Chris PeBenito 17de1b
	gen_require(`
Chris PeBenito 17de1b
		type mysqld_db_t;
Chris PeBenito 17de1b
	')
Chris PeBenito 17de1b
Chris PeBenito 17de1b
	files_search_var_lib($1)
Chris PeBenito 82d277
	allow $1 mysqld_db_t:dir search_dir_perms;
Chris PeBenito 0b36a2
	allow $1 mysqld_db_t:sock_file rw_sock_file_perms;
Chris PeBenito 17de1b
')
Chris PeBenito 17de1b
Chris PeBenito 17de1b
########################################
Chris PeBenito 17de1b
## <summary>
Chris PeBenito 17de1b
##	Write to the MySQL log.
Chris PeBenito 17de1b
## </summary>
Chris PeBenito 17de1b
## <param name="domain">
Chris PeBenito 17de1b
##	<summary>
Chris PeBenito 17de1b
##	Domain allowed access.
Chris PeBenito 17de1b
##	</summary>
Chris PeBenito 17de1b
## </param>
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
interface(`mysql_write_log',`
Chris PeBenito 17de1b
	gen_require(`
Chris PeBenito 17de1b
		type mysqld_log_t;
Chris PeBenito 17de1b
	')
Chris PeBenito 17de1b
Chris PeBenito 17de1b
	logging_search_logs($1)
Chris PeBenito 82d277
	allow $1 mysqld_log_t:file { write_file_perms setattr };
Chris PeBenito 17de1b
')
Chris PeBenito 01e9e7
Chris PeBenito 9e506e
######################################
Chris PeBenito 9e506e
## <summary>
Chris PeBenito 9e506e
##	Execute MySQL server in the mysql domain.
Chris PeBenito 9e506e
## </summary>
Chris PeBenito 9e506e
## <param name="domain">
Chris PeBenito 9e506e
##	<summary>
Chris PeBenito 9e506e
##	Domain allowed access.
Chris PeBenito 9e506e
##	</summary>
Chris PeBenito 9e506e
## </param>
Chris PeBenito 9e506e
#
Chris PeBenito 9e506e
interface(`mysql_domtrans_mysql_safe',`
Chris PeBenito 9e506e
	gen_require(`
Chris PeBenito 9e506e
		type mysqld_safe_t, mysqld_safe_exec_t;
Chris PeBenito 9e506e
	')
Chris PeBenito 9e506e
Chris PeBenito 9e506e
	domtrans_pattern($1, mysqld_safe_exec_t, mysqld_safe_t)
Chris PeBenito 9e506e
')
Chris PeBenito 9e506e
Chris PeBenito 339235
#####################################
Chris PeBenito 339235
## <summary>
Chris Richards 68cda5
##	Read MySQL PID files.
Chris Richards 68cda5
## </summary>
Chris Richards 68cda5
## <param name="domain">
Chris Richards 68cda5
##	<summary>
Chris Richards 68cda5
##	Domain allowed access.
Chris Richards 68cda5
##	</summary>
Chris Richards 68cda5
## </param>
Chris Richards 68cda5
#
Chris Richards 68cda5
interface(`mysql_read_pid_files',`
Chris Richards 68cda5
	gen_require(`
Chris Richards 68cda5
		type mysqld_var_run_t;
Chris Richards 68cda5
	')
Chris Richards 68cda5
Chris Richards 68cda5
	mysql_search_pid_files($1)
Chris Richards 68cda5
	read_files_pattern($1, mysqld_var_run_t, mysqld_var_run_t)
Chris Richards 68cda5
')
Chris Richards 68cda5
Chris Richards 68cda5
#####################################
Chris Richards 68cda5
## <summary>
Chris PeBenito 3f67f7
##	Search MySQL PID files.
Chris PeBenito 339235
## </summary>
Chris PeBenito 339235
## <param name="domain">
Chris PeBenito 3f67f7
##	<summary>
Chris PeBenito 3f67f7
##	Domain allowed access.
Chris PeBenito 3f67f7
##	</summary>
Chris PeBenito 339235
## </param>
Chris PeBenito 339235
##
Chris PeBenito 339235
#
Chris PeBenito 339235
interface(`mysql_search_pid_files',`
Chris PeBenito 3f67f7
	gen_require(`
Chris PeBenito 3f67f7
		type mysqld_var_run_t;
Chris PeBenito 3f67f7
	')
Chris PeBenito 339235
Chris PeBenito 3f67f7
	search_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t)
Chris PeBenito 339235
')
Chris PeBenito 339235
Chris PeBenito 01e9e7
########################################
Chris PeBenito 01e9e7
## <summary>
Chris PeBenito 01e9e7
##	All of the rules required to administrate an mysql environment
Chris PeBenito 01e9e7
## </summary>
Chris PeBenito 01e9e7
## <param name="domain">
Chris PeBenito 01e9e7
##	<summary>
Chris PeBenito 01e9e7
##	Domain allowed access.
Chris PeBenito 01e9e7
##	</summary>
Chris PeBenito 01e9e7
## </param>
Chris PeBenito 01e9e7
## <param name="role">
Chris PeBenito 01e9e7
##	<summary>
Chris PeBenito 01e9e7
##	The role to be allowed to manage the mysql domain.
Chris PeBenito 01e9e7
##	</summary>
Chris PeBenito 01e9e7
## </param>
Chris PeBenito 01e9e7
## <rolecap/>
Chris PeBenito 01e9e7
#
Chris PeBenito 01e9e7
interface(`mysql_admin',`
Chris PeBenito 01e9e7
	gen_require(`
Chris PeBenito 01e9e7
		type mysqld_t, mysqld_var_run_t;
Chris PeBenito 01e9e7
		type mysqld_tmp_t, mysqld_db_t;
Chris PeBenito 01e9e7
		type mysqld_etc_t, mysqld_log_t;
Chris PeBenito 01e9e7
		type mysqld_initrc_exec_t;
Chris PeBenito 01e9e7
	')
Chris PeBenito 01e9e7
Chris PeBenito 01e9e7
	allow $1 mysqld_t:process { ptrace signal_perms };
Chris PeBenito 01e9e7
	ps_process_pattern($1, mysqld_t)
Chris PeBenito 01e9e7
Chris PeBenito 01e9e7
	init_labeled_script_domtrans($1, mysqld_initrc_exec_t)
Chris PeBenito 01e9e7
	domain_system_change_exemption($1)
Chris PeBenito 01e9e7
	role_transition $2 mysqld_initrc_exec_t system_r;
Chris PeBenito 01e9e7
	allow $2 system_r;
Chris PeBenito 01e9e7
Chris PeBenito 01e9e7
	admin_pattern($1, mysqld_var_run_t)
Chris PeBenito 01e9e7
Chris PeBenito 01e9e7
	admin_pattern($1, mysqld_db_t)
Chris PeBenito 01e9e7
Chris PeBenito 01e9e7
	admin_pattern($1, mysqld_etc_t)
Chris PeBenito 01e9e7
Chris PeBenito 01e9e7
	admin_pattern($1, mysqld_log_t)
Chris PeBenito 01e9e7
Chris PeBenito 01e9e7
	admin_pattern($1, mysqld_tmp_t)
Chris PeBenito 01e9e7
')