[Apparmor-general] Apparmor profile for mysqld_safe?

Tue Mar 4 14:43:48 MST 2008

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mostro Mostro wrote:
> Hi all,
> 
> I'm building a profile for mysql/mysqld_safe. When running aa-logprof I am
> constantly being access to respond to the output below.
> 
that is because logprof currently rescans the entire log file.  It since
the profile currently store what has been denied it must reask the
question for anything it doesn't find covered by the profile.

There are 2 fixes for this both of them will be coming in future
apparmor releases.  The first is to store what has been denied in
the profile so logprof can skip asking the question over and over.

The second is the integration of adnarim's logprofIM into logprof.
logprofIM stores a little extra information so that the log
file does have to be rescanned from the start each time.

> Complain-mode changes:
> 
> Profile:  /usr/bin/mysqld_safe
> Path:     /
> Mode:     w
> Severity: unknown
> 
> [1 - /]
> 
> [(A)llow] / (D)eny / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish
> 
> 
> Correct me if I am wrong but does that read give write access to
> everything?  I usually deny it and everything appears to work fine. Also,
> the skip-networking directive is active on MySql.

No it is asking for write access to the root directory.  The rule for
access to everything would be /**

> 
> Here is the profile.
> 
> [usr.bin.mysqld_safe]
> 
> #include <tunables/global>
> /usr/bin/mysqld_safe flags=(complain) {
>   #include <abstractions/base>
>   #include <abstractions/bash>
> 
>   capability chown,
>   capability dac_override,
>   capability setgid,
>   capability setuid,
> 
>   /bin/bash ixr,
>   /bin/chown ixr,
>   /bin/date ixr,
>   /bin/rm ixr,
>   /bin/sed ixr,
>   /bin/touch ixr,
>   /dev/tty rw,
>   /etc/group r,
>   /etc/my.cnf r,
>   /etc/nsswitch.conf r,
>   /etc/passwd r,
>   /usr/bin/dirname ixr,
>   /usr/bin/expr ixr,
>   /usr/bin/my_print_defaults ixr,
>   /usr/bin/mysqld_safe mr,
>   /usr/bin/nice ixr,
>   /usr/bin/nohup ixr,
>   /usr/sbin/mysqld ixr,
>   /usr/share/mysql/charsets/Index.xml r,
>   /usr/share/mysql/english/errmsg.sys r,
>   /var/lib/mysql/* rw,
>   /var/lib/mysql/.tmp/ r,
>   /var/lib/mysql/.tmp/* w,
>   /var/lib/mysql/ib_logfile0 krw,
>   /var/lib/mysql/ib_logfile1 krw,
>   /var/lib/mysql/ibdata1 krw,
>   /var/lib/mysql/mysql/* rw,
>   /var/lib/mysql/portal/* rw,
> }
> 
> [usr.sbin.mysqld]
> 
> #include <tunables/global>
> /usr/sbin/mysqld flags=(complain) {
>   #include <abstractions/base>
>   #include <abstractions/nameservice>
>   #include <abstractions/user-tmp>
> 
>   capability dac_override,
>   capability setgid,
>   capability setuid,
> 
>   /etc/my.cnf r,
>   /usr/sbin/mysqld r,
>   /usr/share/mysql/** r,
>   /var/lib/mysql/ r,
>   /var/lib/mysql/** klrw,
> }
> 
> 
> 
> Thanks
> 
> ad^2
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Apparmor-general mailing list
> Apparmor-general at forge.novell.com
> http://forge.novell.com/mailman/listinfo/apparmor-general

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4-svn0 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFHzcKUi/GH5xuqKCcRAoEtAJ0YVowAce3A36pSYAA9R/W8/bXeOQCfVAzX
5Ot2or1sHc9XE1Xq5eefuPE=
=HPFL
-----END PGP SIGNATURE-----