[Apparmor-general] Apparmor profile for mysqld_safe?
Mostro Mostro
mostro713 at gmail.com
Wed Mar 5 04:06:54 MST 2008
Hi Christian,
Here are the answers to your questions.
[ls -ld /]
drwxr-xr-x 20 root root 4096 2008-02-28 12:22 /
[ls -l]
drwxr-xr-x 2 root root 4096 2008-02-27 11:18 bin
drwxr-xr-x 4 root root 1024 2008-02-27 11:18 boot
drwxr-xr-x 10 root root 6460 2008-03-04 12:40 dev
drwxr-xr-x 65 root root 4096 2008-03-04 10:26 etc
drwxr-xr-x 5 root root 4096 2008-02-27 13:35 home
drwxr-xr-x 10 root root 4096 2008-02-27 11:16 lib
drwx------ 2 root root 16384 2008-02-26 17:25 lost+found
drwxr-xr-x 2 root root 4096 2007-09-21 18:04 media
drwxr-xr-x 2 root root 4096 2007-09-21 18:04 mnt
drwxr-xr-x 2 root root 4096 2007-09-21 18:04 opt
dr-xr-xr-x 90 root root 0 2008-02-28 12:22 proc
drwx------ 6 root root 4096 2008-03-04 10:34 root
drwxr-xr-x 3 root root 4096 2008-02-29 11:12 sbin
drwxr-xr-x 4 root root 4096 2008-02-26 17:26 srv
drwxr-xr-x 11 root root 0 2008-02-28 12:22 sys
drwxrwxrwt 4 root root 4096 2008-03-04 10:33 tmp <- stick bit set
drwxr-xr-x 12 root root 4096 2008-02-26 17:26 usr
drwxr-xr-x 13 root root 4096 2008-02-26 17:26 var
mysql was installed during the installation process.
root 10256 0.0 0.0 2640 1280 pts/0 S 05:59 0:00 /bin/sh
/usr/bin/mysqld_safe --mysqld=mysqld --user=mysql
--pid-file=/var/lib/mysql/mysqld.pid --socket=/var/lib/mysql/mysql.sock
--datadir=/var/lib/mysql
mysql 10313 0.0 0.7 109020 14660 pts/0 Sl 05:59 0:00
/usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql
--pid-file=/var/lib/mysql/mysqld.pid --skip-external-locking --port=3306
--socket=/var/lib/mysql/mysql.sock
Thanks
ad^2
On Wed, Mar 5, 2008 at 5:20 AM, Christian Boltz <apparmor at cboltz.de> wrote:
> Hello,
>
> [accidently sent as PM yesterday, resending to the list]
>
> Am Dienstag, 4. März 2008 schrieb Mostro Mostro:
> > I'm building a profile for mysql/mysqld_safe. When running aa-logprof
> > I am constantly being access to respond to the output below.
> >
> > Complain-mode changes:
> >
> > Profile: /usr/bin/mysqld_safe
> > Path: /
> > Mode: w
> > Severity: unknown
>
> > Correct me if I am wrong but does that read give write access to
> > everything? I usually deny it and everything appears to work fine.
> > Also, the skip-networking directive is active on MySql.
>
> Hmm, it gives write access to / _without_ subdirectories (then it would
> be "/*" or even "/**").
>
> Questions:
> - is there some type of chroot involved in your MySQL setup?
> - what's the result of ls -ld / and ls -l / ?
> (everything should be owned by root:root and not have write
> permissions for group or other - except of /tmp of course, which is
> writeable for everybody and has the sticky bit)
>
> > Here is the profile.
> >
> > [usr.bin.mysqld_safe]
> >
> > #include <tunables/global>
> > /usr/bin/mysqld_safe flags=(complain) {
> > #include <abstractions/base>
> > #include <abstractions/bash>
> >
> > capability chown,
> > capability dac_override,
> > capability setgid,
> > capability setuid,
> >
> > /bin/bash ixr,
> > /bin/chown ixr,
> > /bin/date ixr,
> > /bin/rm ixr,
> > /bin/sed ixr,
> > /bin/touch ixr,
> > /dev/tty rw,
> > /etc/group r,
> > /etc/my.cnf r,
> > /etc/nsswitch.conf r,
> > /etc/passwd r,
> > /usr/bin/dirname ixr,
> > /usr/bin/expr ixr,
> > /usr/bin/my_print_defaults ixr,
> > /usr/bin/mysqld_safe mr,
> > /usr/bin/nice ixr,
> > /usr/bin/nohup ixr,
> > /usr/sbin/mysqld ixr,
> > /usr/share/mysql/charsets/Index.xml r,
> > /usr/share/mysql/english/errmsg.sys r,
> > /var/lib/mysql/* rw,
> > /var/lib/mysql/.tmp/ r,
> > /var/lib/mysql/.tmp/* w,
> > /var/lib/mysql/ib_logfile0 krw,
> > /var/lib/mysql/ib_logfile1 krw,
> > /var/lib/mysql/ibdata1 krw,
> > /var/lib/mysql/mysql/* rw,
> > /var/lib/mysql/portal/* rw,
> > }
>
> Sorry for not comparing the profile line by line. Instead, I'll show you
> the profile I use. Be warned that it is from a 10.2 server which
> doesn't know the lock ("k") flag. Using this profile on 10.3 without
> changes will cause REJECTs for all files which are flagged "krw" in
> your profile.
>
> Just a general hint: If you use abstractions/*, your profiles will
> usually be smaller and better readable.
>
> /usr/bin/mysqld_safe flags=(complain) {
> #include <abstractions/base>
> #include <abstractions/bash>
> #include <abstractions/mysql>
> #include <abstractions/nameservice>
>
> capability chown,
> capability dac_override,
>
> /bin/bash ixr,
> /bin/cat ixr,
> /bin/chown ixr,
> /bin/date ixr,
> /bin/grep ixr,
> /bin/kill ixr,
> /bin/ps Uxr, # needs CAP_SYS_PTRACE which can't be confined
> /bin/rm ixr,
> /bin/sed ixr,
> /bin/touch ixr,
> /dev/tty rw,
> /etc/my.cnf r,
> /root/.my.cnf r,
> /usr/bin/dirname ixr,
> /usr/bin/expr ixr,
> /usr/bin/my_print_defaults ixr,
> /usr/bin/mysqld_safe mr,
> /usr/bin/nice ixr,
> /usr/bin/nohup ixr,
> /usr/bin/tee ixr,
> /usr/sbin/mysqld Px,
> /var/lib/mysql/mysqld.log w, # maybe "a" is enough? (>= 10.3 only)
> /var/lib/mysql/mysqld.pid rw,
> }
>
>
> > [usr.sbin.mysqld]
> >
> > #include <tunables/global>
> > /usr/sbin/mysqld flags=(complain) {
> ...
>
> Looks good, but my profile has some more lines:
> /etc/hosts.allow r,
> /etc/hosts.deny r,
> /root/.my.cnf r,
> /usr/sbin/mysqld mr, # not only r as in your profile
>
>
> Regards,
>
> Christian Boltz
> --
> Also nochmals bitte Entschuldigung an alle procmail-Fans! Ich denke man
> muß sich für ein Tool entscheiden, und muß halt dann alle Features und
> Bugs in Kauf nehmen; also so ähnlich wie bei Frauen ... ;-)
> [Ralph Müller in suse-linux]
>
> _______________________________________________
> Apparmor-general mailing list
> Apparmor-general at forge.novell.com
> http://forge.novell.com/mailman/listinfo/apparmor-general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://forge.novell.com/pipermail/apparmor-general/attachments/20080305/8d291d66/attachment-0001.html
More information about the Apparmor-general
mailing list