Stephen Smalley wrote:
Then I tried:
semanage port -a -t mysqld_port_t -p tcp 1186
What does semanage port -l | grep 1186 show afterward?
# semanage port -l | grep 1186
mysqld_port_t tcp 1186, 3306
What do you mean by "didn't work", i.e. same avc message repeated
afterward upon subsequent attempts to connect?
type=AVC msg=audit(1197324654.830:1482): avc: denied {
name_connect } for pid=20484 comm="mysqld" dest=54859
scontext=root:system_r:mysqld_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1197324654.830:1482): arch=c000003e
syscall=42 success=no exit=-13 a0=e a1=1972e194 a2=10
a3=4504aedc items=0 ppid=20385 pid=20484 auid=0 uid=27
gid=27 euid=27 suid=27 fsuid=27 egid=27 sgid=27 fsgid=27
tty=pts1 comm="mysqld" exe="/usr/libexec/mysqld"
subj=root:system_r:mysqld_t:s0 key=(null)
The command should cause the port to be treated with that type for all
subsequent permission checks, whether name_connect or name_bind.
But this didn't work either. I think this just allows mysqld
to bind to port 1186. (Or maybe not. Because, even without
this rule, it's still able to bind to 1186 on the management
nodes. So maybe this means something else.)
How would I accomplish adding ONLY port 1186 to what mysqld
can do a tcp connect to?
p.s. Does this patch:
http://www.redhat.com/archives/fedora-extras-commits/2007-November/msg00786.html
... do what I'm trying to accomplish? I see 1186 is added to
the mysqld network ports.
But either way, since it's a recent commit against Fedora,
I'm guessing it will be some time before it gets into
RHEL-5. Actaully, do these types of SELinux targeted-policy
commits even get backported into RHEL? It's not really a
security patch, as such.
johnn
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
