[Apparmor-general] Apparmor profile for mysqld_safe?
Mostro Mostro
mostro713 at gmail.com
Tue Mar 4 08:28:20 MST 2008
Hi all,
I'm building a profile for mysql/mysqld_safe. When running aa-logprof I am
constantly being access to respond to the output below.
Complain-mode changes:
Profile: /usr/bin/mysqld_safe
Path: /
Mode: w
Severity: unknown
[1 - /]
[(A)llow] / (D)eny / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish
Correct me if I am wrong but does that read give write access to
everything? I usually deny it and everything appears to work fine. Also,
the skip-networking directive is active on MySql.
Here is the profile.
[usr.bin.mysqld_safe]
#include <tunables/global>
/usr/bin/mysqld_safe flags=(complain) {
#include <abstractions/base>
#include <abstractions/bash>
capability chown,
capability dac_override,
capability setgid,
capability setuid,
/bin/bash ixr,
/bin/chown ixr,
/bin/date ixr,
/bin/rm ixr,
/bin/sed ixr,
/bin/touch ixr,
/dev/tty rw,
/etc/group r,
/etc/my.cnf r,
/etc/nsswitch.conf r,
/etc/passwd r,
/usr/bin/dirname ixr,
/usr/bin/expr ixr,
/usr/bin/my_print_defaults ixr,
/usr/bin/mysqld_safe mr,
/usr/bin/nice ixr,
/usr/bin/nohup ixr,
/usr/sbin/mysqld ixr,
/usr/share/mysql/charsets/Index.xml r,
/usr/share/mysql/english/errmsg.sys r,
/var/lib/mysql/* rw,
/var/lib/mysql/.tmp/ r,
/var/lib/mysql/.tmp/* w,
/var/lib/mysql/ib_logfile0 krw,
/var/lib/mysql/ib_logfile1 krw,
/var/lib/mysql/ibdata1 krw,
/var/lib/mysql/mysql/* rw,
/var/lib/mysql/portal/* rw,
}
[usr.sbin.mysqld]
#include <tunables/global>
/usr/sbin/mysqld flags=(complain) {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/user-tmp>
capability dac_override,
capability setgid,
capability setuid,
/etc/my.cnf r,
/usr/sbin/mysqld r,
/usr/share/mysql/** r,
/var/lib/mysql/ r,
/var/lib/mysql/** klrw,
}
Thanks
ad^2
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://forge.novell.com/pipermail/apparmor-general/attachments/20080304/15f488cc/attachment.html
More information about the Apparmor-general
mailing list