-
Notifications
You must be signed in to change notification settings - Fork 479
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
PKG-40 telemetry writing is blocked by AppArmor after update
- Loading branch information
1 parent
e16519a
commit 3daa680
Showing
4 changed files
with
127 additions
and
33 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,80 @@ | ||
#include <tunables/global> | ||
|
||
/usr/sbin/mysqld flags=(complain) { | ||
#include <abstractions/base> | ||
#include <abstractions/nameservice> | ||
#include <abstractions/user-tmp> | ||
#include <abstractions/mysql> | ||
#include <abstractions/winbind> | ||
|
||
# Allow system resource access | ||
/sys/devices/system/cpu/ r, | ||
/sys/devices/system/node/ r, | ||
/sys/devices/system/node/** r, | ||
/proc/*/status r, | ||
capability sys_resource, | ||
capability dac_override, | ||
capability setuid, | ||
capability setgid, | ||
capability sys_nice, | ||
|
||
# Allow network access | ||
network tcp, | ||
|
||
/etc/hosts.allow r, | ||
/etc/hosts.deny r, | ||
|
||
# Allow config access | ||
/etc/mysql/** r, | ||
|
||
# Allow pid, socket, socket lock file access | ||
/var/run/mysqld/mysqld.pid rw, | ||
/var/run/mysqld/mysqld.sock rw, | ||
/var/run/mysqld/mysqld.sock.lock rw, | ||
/var/run/mysqld/mysqlx.sock rw, | ||
/var/run/mysqld/mysqlx.sock.lock rw, | ||
/run/mysqld/mysqld.pid rw, | ||
/run/mysqld/mysqld.sock rw, | ||
/run/mysqld/mysqld.sock.lock rw, | ||
/run/mysqld/mysqlx.sock rw, | ||
/run/mysqld/mysqlx.sock.lock rw, | ||
|
||
# Allow systemd notify messages | ||
/{,var/}run/systemd/notify w, | ||
|
||
# Allow execution of server binary | ||
/usr/sbin/mysqld mr, | ||
/usr/sbin/mysqld-debug mr, | ||
|
||
# Allow plugin access | ||
/usr/lib/mysql/plugin/ r, | ||
/usr/lib/mysql/plugin/*.so* mr, | ||
|
||
# Allow error msg and charset access | ||
/usr/share/mysql/ r, | ||
/usr/share/mysql/** r, | ||
/usr/share/mysql-@MYSQL_BASE_VERSION@/ r, | ||
/usr/share/mysql-@MYSQL_BASE_VERSION@/** r, | ||
|
||
# Allow data dir access | ||
/var/lib/mysql/ r, | ||
/var/lib/mysql/** rwk, | ||
|
||
# Allow data files dir access | ||
/var/lib/mysql-files/ r, | ||
/var/lib/mysql-files/** rwk, | ||
|
||
# Allow keyring dir access | ||
/var/lib/mysql-keyring/ r, | ||
/var/lib/mysql-keyring/** rwk, | ||
|
||
# Allow log file access | ||
/var/log/mysql/ r, | ||
/var/log/mysql/** rw, | ||
|
||
# Allow access to openssl config | ||
/etc/ssl/openssl.cnf r, | ||
|
||
# Site-specific additions and overrides. See local/README for details. | ||
#include <local/usr.sbin.mysqld> | ||
} |
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters