...
This topic explains how to configure a Vormetric resource set to securely allow MySQL startup scripts to access encrypted GuardPoints.
Why do startup scripts need access to GuardPoints?
When Linux starts a service, Linux also runs a startup script. The startup script runs when the machine powers on or when a service manually starts. The startup script typically runs tasks that relate to the starting, stopping, and restarting of a service.
...
As part of the startup process, the operating system needs permission to view and change file / folder ownership and permissions. As a result, if you want to guard var/lib/mysql, you must create two rules in your policy.
Common GuardPoints
The system needs to access the commonly guarded (encrypted) folders inside of /var/lib/mysql.
Access to GuardPoints
The resource is relative to the GuardPoint. In other words, if the GuardPoint is /var/lib/mysql, and you want to allow access to a particular file in that directory, you would only need to specify that specific file in your resource parameter.
For instance if the GuardPoint is /var/lib/mysql/, then your resource would only be mysql.sock.
Allow startup scripts to access encrypted MySQL databases
| Note |
|---|
In the instructions below, you will create and add two rules to your policy. |
...