[Apparmor-general] Apparmor profile for mysqld_safe?

Wed Mar 5 03:20:06 MST 2008

Hello,

[accidently sent as PM yesterday, resending to the list]

Am Dienstag, 4. März 2008 schrieb Mostro Mostro:
> I'm building a profile for mysql/mysqld_safe. When running aa-logprof
> I am constantly being access to respond to the output below.
>
> Complain-mode changes:
>
> Profile:  /usr/bin/mysqld_safe
> Path:     /
> Mode:     w
> Severity: unknown

> Correct me if I am wrong but does that read give write access to
> everything?  I usually deny it and everything appears to work fine.
> Also, the skip-networking directive is active on MySql.

Hmm, it gives write access to / _without_ subdirectories (then it would 
be "/*" or even "/**").

Questions:
- is there some type of chroot involved in your MySQL setup?
- what's the result of   ls -ld /   and   ls -l /   ?
  (everything should be owned by root:root and not have write 
  permissions for group or other - except of /tmp of course, which is
  writeable for everybody and has the sticky bit)

> Here is the profile.
>
> [usr.bin.mysqld_safe]
>
> #include <tunables/global>
> /usr/bin/mysqld_safe flags=(complain) {
>   #include <abstractions/base>
>   #include <abstractions/bash>
>
>   capability chown,
>   capability dac_override,
>   capability setgid,
>   capability setuid,
>
>   /bin/bash ixr,
>   /bin/chown ixr,
>   /bin/date ixr,
>   /bin/rm ixr,
>   /bin/sed ixr,
>   /bin/touch ixr,
>   /dev/tty rw,
>   /etc/group r,
>   /etc/my.cnf r,
>   /etc/nsswitch.conf r,
>   /etc/passwd r,
>   /usr/bin/dirname ixr,
>   /usr/bin/expr ixr,
>   /usr/bin/my_print_defaults ixr,
>   /usr/bin/mysqld_safe mr,
>   /usr/bin/nice ixr,
>   /usr/bin/nohup ixr,
>   /usr/sbin/mysqld ixr,
>   /usr/share/mysql/charsets/Index.xml r,
>   /usr/share/mysql/english/errmsg.sys r,
>   /var/lib/mysql/* rw,
>   /var/lib/mysql/.tmp/ r,
>   /var/lib/mysql/.tmp/* w,
>   /var/lib/mysql/ib_logfile0 krw,
>   /var/lib/mysql/ib_logfile1 krw,
>   /var/lib/mysql/ibdata1 krw,
>   /var/lib/mysql/mysql/* rw,
>   /var/lib/mysql/portal/* rw,
> }

Sorry for not comparing the profile line by line. Instead, I'll show you 
the profile I use. Be warned that it is from a 10.2 server which 
doesn't know the lock ("k") flag. Using this profile on 10.3 without 
changes will cause REJECTs for all files which are flagged "krw" in 
your profile.

Just a general hint: If you use abstractions/*, your profiles will 
usually be smaller and better readable.

/usr/bin/mysqld_safe flags=(complain) {
  #include <abstractions/base>
  #include <abstractions/bash>
  #include <abstractions/mysql>
  #include <abstractions/nameservice>

  capability chown,
  capability dac_override,

  /bin/bash ixr,
  /bin/cat ixr,
  /bin/chown ixr,
  /bin/date ixr,
  /bin/grep ixr,
  /bin/kill ixr,
  /bin/ps Uxr,   # needs CAP_SYS_PTRACE which can't be confined
  /bin/rm ixr,
  /bin/sed ixr,
  /bin/touch ixr,
  /dev/tty rw,
  /etc/my.cnf r,
  /root/.my.cnf r,
  /usr/bin/dirname ixr,
  /usr/bin/expr ixr,
  /usr/bin/my_print_defaults ixr,
  /usr/bin/mysqld_safe mr,
  /usr/bin/nice ixr,
  /usr/bin/nohup ixr,
  /usr/bin/tee ixr,
  /usr/sbin/mysqld Px,
  /var/lib/mysql/mysqld.log w, # maybe "a" is enough? (>= 10.3 only)
  /var/lib/mysql/mysqld.pid rw,
}

> [usr.sbin.mysqld]
>
> #include <tunables/global>
> /usr/sbin/mysqld flags=(complain) {
...

Looks good, but my profile has some more lines:
  /etc/hosts.allow r,
  /etc/hosts.deny r,
  /root/.my.cnf r,
  /usr/sbin/mysqld mr,  # not only r as in your profile

Regards,

Christian Boltz
-- 
Also nochmals bitte Entschuldigung an alle procmail-Fans! Ich denke man
muß sich für ein Tool entscheiden, und muß halt dann alle Features und
Bugs in Kauf nehmen; also so ähnlich wie bei Frauen ...   ;-)
[Ralph Müller in suse-linux]