[apparmor] [patch] extra profiles: update mysqld profile

John Johansen john.johansen at canonical.com
Mon Dec 22 13:35:32 UTC 2014 

On 12/01/2014 02:03 PM, Christian Boltz wrote:
> Hello,
> 
> this patch updates the mysqld profile in the extras directory to 
> something that works on my servers ;-)
> 
> BTW: AFAIK Ubuntu ships an active profile for mysqld - can someone merge
> it with this profile, please?
> 
so acking this for the extras directory, I'll look at the merge later and
deal with that as a separate patch

Acked-by: John Johansen <john.johansen at canonical.com>

> 
> === modified file 'profiles/apparmor/profiles/extras/usr.sbin.mysqld'
> --- profiles/apparmor/profiles/extras/usr.sbin.mysqld   2007-05-16 18:51:46 +0000
> +++ profiles/apparmor/profiles/extras/usr.sbin.mysqld   2014-12-01 22:00:57 +0000
> @@ -1,6 +1,9 @@
> +# Last Modified: Mon Dec  1 22:23:12 2014
> +
>  # ------------------------------------------------------------------
>  #
>  #    Copyright (C) 2002-2005 Novell/SUSE
> +#    Copyright (C) 2014 Christian Boltz
>  #
>  #    This program is free software; you can redistribute it and/or
>  #    modify it under the terms of version 2 of the GNU General Public
> @@ -8,12 +11,12 @@
>  #
>  # ------------------------------------------------------------------
>  # vim:syntax=apparmor
> -# Last Modified: Wed Aug 17 14:28:07 2005
>  
>  #include <tunables/global>
>  
>  /usr/sbin/mysqld {
>    #include <abstractions/base>
> +  #include <abstractions/mysql>
>    #include <abstractions/nameservice>
>    #include <abstractions/user-tmp>
>  
> @@ -21,8 +24,22 @@
>    capability setgid,
>    capability setuid,
>  
> +  /etc/hosts.allow r,
> +  /etc/hosts.deny r,
>    /etc/my.cnf r,
> +  /etc/my.cnf.d/ r,
> +  /etc/my.cnf.d/*.cnf r,
> +  /root/.my.cnf r,
> +  /usr/lib{,32,64}/**.so mr,
>    /usr/sbin/mysqld r,
> +  /usr/share/mariadb/*/errmsg.sys r,
> +  /usr/share/mysql-community-server/*/errmsg.sys r,
>    /usr/share/mysql/** r,
> -  /var/lib/mysql/** lrw,
> +  /var/lib/mysql/ r,
> +  /var/lib/mysql/** rwl,
> +  /var/log/mysql/mysqld-upgrade-run.log w,
> +  /var/log/mysql/mysqld.log w,
> +  /var/log/mysql/mysqld.log-20* w,
> +  /{,var/}run/mysql/mysqld.pid w,
> +
>  }
> 
> 
> 
> Regards,
> 
> Christian Boltz
>

More information about the AppArmor mailing list