1
#DESC Mysqld - Database server
3
# Author: Russell Coker <russell@coker.com.au>
4
# X-Debian-Packages: mysql-server
7
#################################
9
# Rules for the mysqld_t domain.
11
# mysqld_exec_t is the type of the mysqld executable.
15
allow mysqld_t mysqld_var_run_t:sock_file create_file_perms;
18
typealias mysqld_etc_t alias etc_mysqld_t;
19
type mysqld_db_t, file_type, sysadmfile;
23
allow mysqld_t tmp_t:dir { getattr read };
25
allow mysqld_t usr_t:file { getattr read };
27
allow mysqld_t self:fifo_file { read write };
28
allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
29
allow initrc_t mysqld_t:unix_stream_socket { connectto };
30
allow initrc_t mysqld_var_run_t:sock_file write;
32
allow initrc_t mysqld_log_t:file { write append setattr ioctl };
34
allow mysqld_t self:capability { setgid setuid };
35
allow mysqld_t self:process getsched;
37
allow mysqld_t proc_t:file { getattr read };
39
# Allow access to the mysqld databases
40
create_dir_file(mysqld_t, mysqld_db_t)
41
allow mysqld_t var_lib_t:dir search;
46
r_dir_file(initrc_t, mysqld_etc_t)
47
allow mysqld_t { etc_t etc_runtime_t }:{ file lnk_file } { read getattr };
49
allow mysqld_t etc_t:dir search;
51
allow mysqld_t sysctl_kernel_t:dir search;
52
allow mysqld_t sysctl_kernel_t:file read;
54
can_unix_connect(sysadm_t, mysqld_t)
56
# for /root/.my.cnf - should not be needed
57
allow mysqld_t sysadm_home_dir_t:dir search;
58
allow mysqld_t sysadm_home_t:file { read getattr };
60
ifdef(`logrotate.te', `
61
r_dir_file(logrotate_t, mysqld_etc_t)
62
allow logrotate_t mysqld_db_t:dir search;
63
allow logrotate_t mysqld_var_run_t:dir search;
64
allow logrotate_t mysqld_var_run_t:sock_file write;
65
can_unix_connect(logrotate_t, mysqld_t)