-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/14/2011 04:48 PM, Luciano Furtado wrote:
If I do that would be giving mysqld_t the ability to run any binary
labeled with bin_t. There got be a better option that would open it up
too much.
There are plenty options, whether they are "better" , that depends on
your security goals.
On 11-01-14 09:31, Dominick Grift wrote:
> On 01/14/2011 03:28 PM, Luciano Furtado wrote:
>> when I run audit2allow I get the following:
>> #============= mysqld_t ==============
>> allow mysqld_t bin_t:dir search;
>> allow mysqld_t bin_t:file { read execute };
>> allow mysqld_t bin_t:lnk_file read;
>> allow mysqld_t shell_exec_t:file { read execute getattr
>> execute_no_trans };
> I would probably just allow the above. looks like it wants to run mysql
> command which i guess is labelled bin_t.
> corecmd_exec_bin(mysqld_t)
> corecmd_exec_shell(mysqld_t)
> should be suffice i believe
>> What's the proper fix here? I dont want to give the mysqld_t permission
>> to execute arbitrary scripts. The only solution I have right now is to
>> relabel mysql_upgrade so it runs as unconfined, and that's not much of
>> a solution.
>> Best Regards.
>> Luciano
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org/
iEYEARECAAYFAk0wbwcACgkQMlxVo39jgT/QIQCgxoJeGwzs7iMOUv8Uyd6RDq/H
6TsAnj2OYzb7/8dZ60zFCnrfg86/BDiZ
=Uorh
-----END PGP SIGNATURE-----