Browse Source

fix apparmor settings for mysql

Patrick Falls 12 years ago
parent
commit
ec9ea1284b
3 changed files with 54 additions and 0 deletions
  1. 1 0
      config/client_sftp_batch
  2. 51 0
      config/usr.sbin.mysqld
  3. 2 0
      installer.py

+ 1 - 0
config/client_sftp_batch

@@ -7,3 +7,4 @@ put config/create-postgres-database.sql
 put config/create-postgres.sql
 put config/postgresql.conf
 put config/pg_hba.conf
+put config/usr.sbin.mysqld

+ 51 - 0
config/usr.sbin.mysqld

@@ -0,0 +1,51 @@
+# vim:syntax=apparmor
+# Last Modified: Tue Jun 19 17:37:30 2007
+#include <tunables/global>
+
+/usr/sbin/mysqld {
+  #include <abstractions/base>
+  #include <abstractions/nameservice>
+  #include <abstractions/user-tmp>
+  #include <abstractions/mysql>
+  #include <abstractions/winbind>
+
+  capability dac_override,
+  capability sys_resource,
+  capability setgid,
+  capability setuid,
+
+  network tcp,
+
+  /etc/hosts.allow r,
+  /etc/hosts.deny r,
+
+  /etc/mysql/*.pem r,
+  /etc/mysql/conf.d/ r,
+  /etc/mysql/conf.d/* r,
+  /etc/mysql/*.cnf r,
+  /usr/lib/mysql/plugin/ r,
+  /usr/lib/mysql/plugin/*.so* mr,
+  /usr/sbin/mysqld mr,
+  /usr/share/mysql/** r,
+  /var/log/mysql.log rw,
+  /var/log/mysql.err rw,
+  /var/lib/mysql/ r,
+  /var/lib/mysql/** rwk,
+  /var/log/mysql/ r,
+  /var/log/mysql/* rw,
+  /var/run/mysqld/mysqld.pid w,
+  /var/run/mysqld/mysqld.sock w,
+  /run/mysqld/mysqld.pid w,
+  /run/mysqld/mysqld.sock w,
+  /ssd/log/mysql.log rw,
+  /ssd/log/mysql.err rw,
+  /ssd/mysql/ r,
+  /ssd/mysql/** rwk,
+  /ssd/log/mysql/ r,
+  /ssd/log/mysql/* rw,
+
+  /sys/devices/system/cpu/ r,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.sbin.mysqld>
+}

+ 2 - 0
installer.py

@@ -383,6 +383,8 @@ class Installer:
 
     sudo cp -R -p /var/lib/mysql /ssd/
     sudo cp -R -p /var/log/mysql /ssd/log
+    sudo cp usr.sbin.mysqld /etc/apparmor.d/
+    sudo /etc/init.d/apparmor reload
     sudo start mysql
 
     # Insert data