#DESC Mysqld - Database server

#

# Author:  Russell Coker <russell@coker.com.au>

# X-Debian-Packages: mysql-server

#

#################################

#

# Rules for the mysqld_t domain.

#

# mysqld_exec_t is the type of the mysqld executable.

#

daemon_domain(mysqld, `, nscd_client_domain')

allow mysqld_t mysqld_port_t:tcp_socket { name_bind name_connect };

allow mysqld_t mysqld_var_run_t:sock_file create_file_perms;

etcdir_domain(mysqld)

type mysqld_db_t, file_type, sysadmfile;

log_domain(mysqld)

# for temporary tables

tmp_domain(mysqld)

allow mysqld_t usr_t:file { getattr read };

allow mysqld_t self:fifo_file { read write };

allow mysqld_t self:unix_stream_socket create_stream_socket_perms;

allow initrc_t mysqld_t:unix_stream_socket connectto;

allow initrc_t mysqld_var_run_t:sock_file write;

allow initrc_t mysqld_log_t:file { write append setattr ioctl };

allow mysqld_t self:capability { dac_override setgid setuid net_bind_service };

allow mysqld_t self:process { setsched getsched };

allow mysqld_t proc_t:file { getattr read };

# Allow access to the mysqld databases

create_dir_file(mysqld_t, mysqld_db_t)

allow mysqld_t var_lib_t:dir { getattr search };

can_network(mysqld_t)

can_ypbind(mysqld_t)

# read config files

r_dir_file(initrc_t, mysqld_etc_t)

allow mysqld_t { etc_t etc_runtime_t }:{ file lnk_file } { read getattr };

allow mysqld_t etc_t:dir search;

read_sysctl(mysqld_t)

can_unix_connect(sysadm_t, mysqld_t)

# for /root/.my.cnf - should not be needed

allow mysqld_t sysadm_home_dir_t:dir search;

allow mysqld_t sysadm_home_t:file { read getattr };

ifdef(`logrotate.te', `

r_dir_file(logrotate_t, mysqld_etc_t)

allow logrotate_t mysqld_db_t:dir search;

allow logrotate_t mysqld_var_run_t:dir search;

allow logrotate_t mysqld_var_run_t:sock_file write;

can_unix_connect(logrotate_t, mysqld_t)

')

ifdef(`daemontools.te', `

domain_auto_trans( svc_run_t, mysqld_exec_t, mysqld_t)

allow svc_start_t mysqld_t:process signal;

svc_ipc_domain(mysqld_t)

')dnl end ifdef daemontools

ifdef(`distro_redhat', `

allow initrc_t mysqld_db_t:dir create_dir_perms;

# because Fedora has the sock_file in the database directory

file_type_auto_trans(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file)

')

ifdef(`targeted_policy', `', `

bool allow_user_mysql_connect false;

if (allow_user_mysql_connect) {

allow userdomain mysqld_var_run_t:dir search;

allow userdomain mysqld_var_run_t:sock_file write;

}

')

allow mysqld_t self:netlink_route_socket r_netlink_socket_perms;

ifdef(`crond.te', `

allow system_crond_t mysqld_etc_t:file { getattr read };

')