MDEV-6829 : SELinux/AppArmor policies for Galera server

Add SELinux policy and AppArmor profile under policy/.

MDEV-6829 : SELinux/AppArmor policies for Galera server
Add SELinux policy and AppArmor profile under policy/.
6050ab65 · Nirbhay Choubey · 9eff9ed5 · 6050ab65 · 6050ab65 · 6050ab65
Commit 6050ab65 authored Jun 18, 2015 by Nirbhay Choubey
6 changed files
--- a/policy/apparmor/README
+++ b/policy/apparmor/README
+Note: The included AppArmor profiles can be used for MariaDB Galera cluster.
+However, since these profiles had been tested for a limited set of scenarios,
+it is highly recommended to run them in "complain" mode and report any denials
+on mariadb.org/jira.
+
--- a/policy/apparmor/usr.sbin.mysqld
+++ b/policy/apparmor/usr.sbin.mysqld
+# Last Modified: Fri Mar  1 18:55:47 2013
+# Based on usr.sbin.mysqld packaged in mysql-server in Ubuntu.
+# This AppArmor profile has been copied under BSD License from
+# Percona XtraDB Cluster, along with some additions.
+
+#include <tunables/global>
+
+/usr/sbin/mysqld flags=(complain) {
+  #include <abstractions/base>
+  #include <abstractions/mysql>
+  #include <abstractions/nameservice>
+  #include <abstractions/user-tmp>
+  #include <abstractions/winbind>
+
+  capability chown,
+  capability dac_override,
+  capability setgid,
+  capability setuid,
+  capability sys_rawio,
+  capability sys_resource,
+
+  network tcp,
+
+  /bin/dash rcx,
+  /dev/dm-0 r,
+  /etc/gai.conf r,
+  /etc/group r,
+  /etc/hosts.allow r,
+  /etc/hosts.deny r,
+  /etc/ld.so.cache r,
+  /etc/mtab r,
+  /etc/my.cnf r,
+  /etc/mysql/*.cnf r,
+  /etc/mysql/*.pem r,
+  /etc/mysql/conf.d/ r,
+  /etc/mysql/conf.d/* r,
+  /etc/nsswitch.conf r,
+  /etc/passwd r,
+  /etc/services r,
+  /run/mysqld/mysqld.pid w,
+  /run/mysqld/mysqld.sock w,
+  /sys/devices/system/cpu/ r,
+  owner /tmp/** lk,
+  /tmp/** rw,
+  /usr/lib/mysql/plugin/ r,
+  /usr/lib/mysql/plugin/*.so* mr,
+  /usr/sbin/mysqld mr,
+  /usr/share/mysql/** r,
+  /var/lib/mysql/ r,
+  /var/lib/mysql/** rwk,
+  /var/log/mysql.err rw,
+  /var/log/mysql.log rw,
+  /var/log/mysql/ r,
+  /var/log/mysql/* rw,
+  /var/run/mysqld/mysqld.pid w,
+  /var/run/mysqld/mysqld.sock w,
+
+
+  profile /bin/dash flags=(complain) {
+    #include <abstractions/base>
+    #include <abstractions/bash>
+    #include <abstractions/mysql>
+    #include <abstractions/nameservice>
+    #include <abstractions/perl>
+
+
+
+    /bin/cat rix,
+    /bin/dash rix,
+    /bin/date rix,
+    /bin/grep rix,
+    /bin/nc.openbsd rix,
+    /bin/netstat rix,
+    /bin/ps rix,
+    /bin/rm rix,
+    /bin/sed rix,
+    /bin/sleep rix,
+    /bin/tar rix,
+    /bin/which rix,
+    /dev/tty rw,
+    /etc/ld.so.cache r,
+    /etc/my.cnf r,
+    /proc/ r,
+    /proc/*/cmdline r,
+    /proc/*/fd/ r,
+    /proc/*/net/dev r,
+    /proc/*/net/if_inet6 r,
+    /proc/*/net/tcp r,
+    /proc/*/net/tcp6 r,
+    /proc/*/stat r,
+    /proc/*/status r,
+    /proc/sys/kernel/pid_max r,
+    /proc/tty/drivers r,
+    /proc/uptime r,
+    /proc/version r,
+    /sbin/ifconfig rix,
+    /sys/devices/system/cpu/ r,
+    /tmp/** rw,
+    /usr/bin/cut rix,
+    /usr/bin/dirname rix,
+    /usr/bin/gawk rix,
+    /usr/bin/innobackupex rix,
+    /usr/bin/mysql rix,
+    /usr/bin/perl rix,
+    /usr/bin/seq rix,
+    /usr/bin/wsrep_sst* rix,
+    /usr/bin/wsrep_sst_common r,
+    /usr/bin/xtrabackup* rix,
+    /var/lib/mysql/ r,
+    /var/lib/mysql/** rw,
+    /var/lib/mysql/*.log w,
+    /var/lib/mysql/*.err w,
+
+# MariaDB additions
+    ptrace peer=@{profile_name},
+
+    /bin/hostname rix,
+    /bin/ip rix,
+    /bin/mktemp rix,
+    /bin/ss rix,
+    /bin/sync rix,
+    /bin/touch rix,
+    /bin/uname rix,
+    /etc/mysql/*.cnf r,
+    /etc/mysql/conf.d/ r,
+    /etc/mysql/conf.d/* r,
+    /proc/*/attr/current r,
+    /proc/*/fdinfo/* r,
+    /proc/*/net/* r,
+    /proc/locks r,
+    /proc/sys/net/ipv4/ip_local_port_range r,
+    /run/mysqld/mysqld.sock rw,
+    /sbin/ip rix,
+    /usr/bin/basename rix,
+    /usr/bin/du rix,
+    /usr/bin/find rix,
+    /usr/bin/lsof rix,
+    /usr/bin/my_print_defaults rix,
+    /usr/bin/mysqldump rix,
+    /usr/bin/pv rix,
+    /usr/bin/rsync rix,
+    /usr/bin/socat rix,
+    /usr/bin/tail rix,
+    /usr/bin/timeout rix,
+    /usr/bin/xargs rix,
+    /usr/bin/xbstream rix,
+  }
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.sbin.mysqld>
+}
--- a/policy/apparmor/usr.sbin.mysqld.local
+++ b/policy/apparmor/usr.sbin.mysqld.local
+# Site-specific additions and overrides for usr.sbin.mysqld..
+# For more details, please see /etc/apparmor.d/local/README.
+# This AppArmor profile has been copied under BSD License from
+# Percona XtraDB Cluster, along with some additions.
--- a/policy/selinux/README
+++ b/policy/selinux/README
+Note: The included SELinux policy files can be used for MariaDB Galera cluster.
+However, since these policies had been tested for a limited set of scenarios,
+it is highly recommended to run SELinux in "permissive" mode even with these
+policies installed and report any denials on mariadb.org/jira.
+
+
+How to generate and load the policy module of MariaDB Galera cluster ?
+
+* Generate the SELinux policy module.
+  # cd <source>/policy/selinux/
+  # make -f /usr/share/selinux/devel/Makefile mariadb-server.pp
+
+* Load the generated policy module.
+  # semodule -i /path/to/mariadb-server.pp
+
+* Lastly, run the following command to allow 4568.
+  # semanage port -a -t mysqld_port_t -p tcp 4568
+
--- a/policy/selinux/mariadb-server.fc
+++ b/policy/selinux/mariadb-server.fc
+# This SELinux file contexts (.fc) file has been copied under BSD License from
+# Percona XtraDB Cluster.
+
+/etc/init\.d/rc\.d/mysql -- gen_context(system_u:object_r:mysqld_initrc_exec_t,s0)
+/var/lib/mysql/.*\.log --  gen_context(system_u:object_r:mysqld_log_t,s0)
+/var/lib/mysql/.*\.err --  gen_context(system_u:object_r:mysqld_log_t,s0)
+/var/lib/mysql/.*\.pid -- gen_context(system_u:object_r:mysqld_var_run_t,s0)
+/var/lib/mysql/.*\.cnf	--  gen_context(system_u:object_r:mysqld_etc_t,s0)
+/usr/bin/xtrabackup.* -- gen_context(system_u:object_r:mysqld_exec_t,s0)
+/usr/bin/wsrep.*  -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
--- a/policy/selinux/mariadb-server.te
+++ b/policy/selinux/mariadb-server.te
+# This SELinux type enforcement (.te) file has been copied under BSD License
+# from Percona XtraDB Cluster, along with some additions.
+
+module mariadb-server 1.0;
+
+require {
+        type user_tmp_t;
+	type kerberos_port_t;
+	type mysqld_safe_t;
+        type tmp_t;
+        type tmpfs_t;
+        type hostname_exec_t;
+	type ifconfig_exec_t;
+	type sysctl_net_t;
+	type proc_net_t;
+	type port_t;
+	type mysqld_t;
+	type var_lib_t;
+        type rsync_exec_t;
+	type bin_t;
+	type shell_exec_t;
+	type anon_inodefs_t;
+	type fixed_disk_device_t;
+	class lnk_file read;
+        class process { getattr signull };
+	class unix_stream_socket connectto;
+	class capability { sys_resource sys_nice };
+	class tcp_socket { name_bind name_connect };
+	class file { execute setattr read create getattr execute_no_trans write ioctl open append unlink };
+	class sock_file { create unlink getattr };
+	class blk_file { read write open };
+	class dir { write search getattr add_name read remove_name open };
+
+# MariaDB additions
+	type tram_port_t;
+	class process setpgid;
+	class netlink_tcpdiag_socket { create nlmsg_read };
+}
+
+
+#============= mysqld_safe_t ==============
+allow mysqld_safe_t mysqld_t:process signull;
+allow mysqld_safe_t self:capability { sys_resource sys_nice };
+allow mysqld_safe_t tmp_t:file { create read write open getattr unlink ioctl setattr };
+allow mysqld_safe_t tmp_t:dir { write remove_name add_name };
+allow mysqld_safe_t tmp_t:sock_file { getattr unlink };
+allow mysqld_safe_t user_tmp_t:sock_file { getattr unlink };
+allow mysqld_safe_t var_lib_t:dir { write add_name };
+allow mysqld_safe_t var_lib_t:file { write ioctl setattr create open getattr append unlink };
+
+#============= mysqld_t ==============
+allow mysqld_t anon_inodefs_t:file write;
+allow mysqld_t tmp_t:sock_file { create unlink };
+allow mysqld_t tmpfs_t:dir { write search read remove_name open add_name };
+allow mysqld_t tmpfs_t:file { write getattr read create unlink open };
+allow mysqld_t fixed_disk_device_t:blk_file { read write open };
+allow mysqld_t ifconfig_exec_t:file { read execute open execute_no_trans getattr };
+
+#This rule allows connecting on 4444
+allow mysqld_t kerberos_port_t:tcp_socket { name_bind name_connect };
+
+allow mysqld_t mysqld_safe_t:dir { getattr search };
+allow mysqld_t mysqld_safe_t:file { read open };
+allow mysqld_t self:unix_stream_socket connectto;
+allow mysqld_t port_t:tcp_socket { name_bind name_connect };
+allow mysqld_t proc_net_t:file { read getattr open };
+allow mysqld_t sysctl_net_t:dir search;
+allow mysqld_t var_lib_t:file { getattr open append };
+allow mysqld_t var_lib_t:sock_file { create unlink getattr };
+allow mysqld_t rsync_exec_t:file { read getattr open execute execute_no_trans };
+allow mysqld_t self:process getattr;
+allow mysqld_t hostname_exec_t:file { read getattr execute open execute_no_trans };
+allow mysqld_t user_tmp_t:dir { write add_name };
+allow mysqld_t user_tmp_t:file create;
+allow mysqld_t bin_t:lnk_file read;
+allow mysqld_t tmp_t:file { append create read write open getattr unlink setattr };
+
+# Allows too much leeway - the xtrabackup/wsrep rules in fc should fix it, but
+# keep for the moment.
+allow mysqld_t shell_exec_t:file { execute_no_trans getattr read execute open };
+allow mysqld_t bin_t:file { getattr read execute open execute_no_trans ioctl };
+
+# MariaDB additions
+allow mysqld_t self:process setpgid;
+# This rule allows port 4567
+allow mysqld_t tram_port_t:tcp_socket name_bind;
+
+# Rules related to XtraBackup
+allow mysqld_t self:netlink_tcpdiag_socket { create nlmsg_read };
+allow mysqld_t sysctl_net_t:file { read getattr open };
+