MySQL Lists are EOL. Please join:

List:Commits« Previous MessageNext Message »
From:Joerg Bruehe Date:January 25 2007 4:51pm
Subject:bk commit into 5.0 tree (joerg:1.2385) BUG#12676
View as plain text  
Below is the list of changes that have just been committed into a local
5.0 repository of joerg. When joerg does a push these changes will
be propagated to the main repository and, within 24 hours after the
push, to the public repository.
For information on how to access the public repository
see http://dev.mysql.com/doc/mysql/en/installing-source-tree.html

ChangeSet@stripped, 2007-01-25 17:51:21+01:00, joerg@trift2. +5 -0
  For Linux systems running RHEL 4 (which includes SE-Linux), we need to provide
  additional files that specify some actions which are allowed to the MySQL binaries.
      
  Create a new subdirectory "supportfiles/RHEL4-SElinux" for them, and process it.
  
  This fixes bug#12676.

  configure.in@stripped, 2007-01-25 17:51:18+01:00, joerg@trift2. +2 -1
    New "support-files/RHEL4-SElinux/Makefile.am" must be processed by "automake" etc.

  support-files/Makefile.am@stripped, 2007-01-25 17:51:18+01:00, joerg@trift2. +2 -2
    For Linux systems running RHEL 4 (which includes SE-Linux), we need to provide
    additional files that specify some actions which are allowed to the MySQL binaries.
    
    Create a new subdirectory "supportfiles/RHEL4-SElinux" for them, and process it.

  support-files/RHEL4-SElinux/Makefile.am@stripped, 2007-01-25 17:51:18+01:00, joerg@trift2. +23 -0
    BitKeeper file /MySQL/M50/bug12676-5.0/support-files/RHEL4-SElinux/Makefile.am

  support-files/RHEL4-SElinux/Makefile.am@stripped, 2007-01-25 17:51:18+01:00, joerg@trift2. +0 -0

  support-files/RHEL4-SElinux/mysql.fc@stripped, 2007-01-25 17:51:18+01:00, joerg@trift2. +25 -0
    BitKeeper file /MySQL/M50/bug12676-5.0/support-files/RHEL4-SElinux/mysql.fc

  support-files/RHEL4-SElinux/mysql.fc@stripped, 2007-01-25 17:51:18+01:00, joerg@trift2. +0 -0

  support-files/RHEL4-SElinux/mysql.te@stripped, 2007-01-25 17:51:18+01:00, joerg@trift2. +132 -0
    BitKeeper file /MySQL/M50/bug12676-5.0/support-files/RHEL4-SElinux/mysql.te

  support-files/RHEL4-SElinux/mysql.te@stripped, 2007-01-25 17:51:18+01:00, joerg@trift2. +0 -0

# This is a BitKeeper patch.  What follows are the unified diffs for the
# set of deltas contained in the patch.  The rest of the patch, the part
# that BitKeeper cares about, is below these diffs.
# User:	joerg
# Host:	trift2.
# Root:	/MySQL/M50/bug12676-5.0

--- 1.419/configure.in	2007-01-16 12:46:45 +01:00
+++ 1.420/configure.in	2007-01-25 17:51:18 +01:00
@@ -2860,7 +2860,8 @@
  include/Makefile sql-bench/Makefile dnl
  server-tools/Makefile server-tools/instance-manager/Makefile dnl
  tests/Makefile Docs/Makefile support-files/Makefile dnl
- support-files/MacOSX/Makefile mysql-test/Makefile dnl
+ support-files/MacOSX/Makefile support-files/RHEL4-SElinux/Makefile dnl
+ mysql-test/Makefile dnl
  netware/Makefile dnl
  include/mysql_version.h dnl
  cmd-line-utils/Makefile dnl

--- 1.33/support-files/Makefile.am	2006-12-30 21:02:08 +01:00
+++ 1.34/support-files/Makefile.am	2007-01-25 17:51:18 +01:00
@@ -30,13 +30,13 @@
 			MySQL-shared-compat.spec.sh \
 			ndb-config-2-node.ini.sh
 
-SUBDIRS = MacOSX
+SUBDIRS =		MacOSX RHEL4-SElinux
 
 pkgdata_DATA =		my-small.cnf \
 			my-medium.cnf \
 			my-large.cnf \
 			my-huge.cnf \
-      my-innodb-heavy-4G.cnf \
+			my-innodb-heavy-4G.cnf \
 			mysql-log-rotate \
 			binary-configure \
 			ndb-config-2-node.ini
--- New file ---
+++ support-files/RHEL4-SElinux/Makefile.am	07/01/25 17:51:18
# Copyright (C) 2000-2001, 2003-2006 MySQL AB
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Library General Public
# License as published by the Free Software Foundation; version 2
# of the License.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# Library General Public License for more details.
#
# You should have received a copy of the GNU Library General Public
# License along with this library; if not, write to the Free
# Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
# MA 02111-1307, USA

## Process this file with automake to create Makefile.in

EXTRA_DIST =		mysql.fc mysql.te

# Don't update the files from bitkeeper
%::SCCS/s.%

--- New file ---
+++ support-files/RHEL4-SElinux/mysql.fc	07/01/25 17:51:18
# MySQL Database Server

#
# /etc
#
/etc/my\.cnf		--	gen_context(system_u:object_r:mysqld_etc_t,s0)
/etc/mysql(/.*)?		gen_context(system_u:object_r:mysqld_etc_t,s0)

#
# /usr
# Red Hat compatibility
/usr/libexec/mysqld	--	gen_context(system_u:object_r:mysqld_exec_t,s0)

# MySQL AB compatibility
/usr/sbin/mysqld(-max)?	--	gen_context(system_u:object_r:mysqld_exec_t,s0)

#
# /var
#
/var/lib/mysql(/.*)?		gen_context(system_u:object_r:mysqld_db_t,s0)
/var/lib/mysql/mysql\.sock -s	gen_context(system_u:object_r:mysqld_var_run_t,s0)

/var/log/mysql.*	--	gen_context(system_u:object_r:mysqld_log_t,s0)

/var/run/mysqld(/.*)?		gen_context(system_u:object_r:mysqld_var_run_t,s0)

--- New file ---
+++ support-files/RHEL4-SElinux/mysql.te	07/01/25 17:51:18

policy_module(mysql,1.0.0)

########################################
#
# Declarations
#

type mysqld_t;
type mysqld_exec_t;
init_daemon_domain(mysqld_t,mysqld_exec_t)

type mysqld_var_run_t;
files_pid_file(mysqld_var_run_t)

type mysqld_db_t;
files_type(mysqld_db_t)

type mysqld_etc_t alias etc_mysqld_t;
files_config_file(mysqld_etc_t)

type mysqld_log_t;
logging_log_file(mysqld_log_t)

type mysqld_tmp_t;
files_tmp_file(mysqld_tmp_t)

########################################
#
# Local policy
#

allow mysqld_t self:capability { dac_override setgid setuid sys_resource net_bind_service };
dontaudit mysqld_t self:capability sys_tty_config;
allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
allow mysqld_t self:fifo_file { read write };
allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
allow mysqld_t self:tcp_socket create_stream_socket_perms;
allow mysqld_t self:udp_socket create_socket_perms;

allow mysqld_t mysqld_db_t:dir create_dir_perms;
allow mysqld_t mysqld_db_t:file create_file_perms;
allow mysqld_t mysqld_db_t:lnk_file create_lnk_perms;
files_var_lib_filetrans(mysqld_t,mysqld_db_t,{ dir file })

allow mysqld_t mysqld_etc_t:file { getattr read };
allow mysqld_t mysqld_etc_t:lnk_file { getattr read };
allow mysqld_t mysqld_etc_t:dir list_dir_perms;

allow mysqld_t mysqld_log_t:file create_file_perms;
logging_log_filetrans(mysqld_t,mysqld_log_t,file)

allow mysqld_t mysqld_tmp_t:dir create_dir_perms;
allow mysqld_t mysqld_tmp_t:file create_file_perms;
files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir })

allow mysqld_t mysqld_var_run_t:dir rw_dir_perms;
allow mysqld_t mysqld_var_run_t:sock_file create_file_perms;
allow mysqld_t mysqld_var_run_t:file create_file_perms;
files_pid_filetrans(mysqld_t,mysqld_var_run_t,file)

kernel_read_system_state(mysqld_t)
kernel_read_kernel_sysctls(mysqld_t)

corenet_non_ipsec_sendrecv(mysqld_t)
corenet_tcp_sendrecv_all_if(mysqld_t)
corenet_udp_sendrecv_all_if(mysqld_t)
corenet_tcp_sendrecv_all_nodes(mysqld_t)
corenet_udp_sendrecv_all_nodes(mysqld_t)
corenet_tcp_sendrecv_all_ports(mysqld_t)
corenet_udp_sendrecv_all_ports(mysqld_t)
corenet_tcp_bind_all_nodes(mysqld_t)
corenet_tcp_bind_mysqld_port(mysqld_t)
corenet_tcp_connect_mysqld_port(mysqld_t)
corenet_sendrecv_mysqld_client_packets(mysqld_t)
corenet_sendrecv_mysqld_server_packets(mysqld_t)

dev_read_sysfs(mysqld_t)

fs_getattr_all_fs(mysqld_t)
fs_search_auto_mountpoints(mysqld_t)

term_dontaudit_use_console(mysqld_t)

domain_use_interactive_fds(mysqld_t)

files_getattr_var_lib_dirs(mysqld_t)
files_read_etc_runtime_files(mysqld_t)
files_read_etc_files(mysqld_t)
files_read_usr_files(mysqld_t)
files_search_var_lib(mysqld_t)

auth_use_nsswitch(mysqld_t)

init_use_fds(mysqld_t)
init_use_script_ptys(mysqld_t)

libs_use_ld_so(mysqld_t)
libs_use_shared_libs(mysqld_t)

logging_send_syslog_msg(mysqld_t)

miscfiles_read_localization(mysqld_t)

sysnet_read_config(mysqld_t)

userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
# for /root/.my.cnf - should not be needed:
userdom_read_sysadm_home_content_files(mysqld_t)

ifdef(`distro_redhat',`
	# because Fedora has the sock_file in the database directory
	type_transition mysqld_t mysqld_db_t:sock_file mysqld_var_run_t;
')

ifdef(`targeted_policy',`
	term_dontaudit_use_unallocated_ttys(mysqld_t)
	term_dontaudit_use_generic_ptys(mysqld_t)
	files_dontaudit_read_root_files(mysqld_t)
')

optional_policy(`
	daemontools_service_domain(mysqld_t, mysqld_exec_t)
')

optional_policy(`
	seutil_sigchld_newrole(mysqld_t)
')

optional_policy(`
	udev_read_db(mysqld_t)
')

Thread
bk commit into 5.0 tree (joerg:1.2385) BUG#12676Joerg Bruehe25 Jan