Stephen Smalley wrote:
On Mon, 2007-12-10 at 17:14 -0500, Johnny Tan wrote:
Stephen Smalley wrote:
Then I tried:
semanage port -a -t mysqld_port_t -p tcp 1186
What does semanage port -l | grep 1186 show afterward?
# semanage port -l | grep 1186
mysqld_port_t tcp 1186, 3306
What do you mean by "didn't work", i.e. same avc message repeated
afterward upon subsequent attempts to connect?
type=AVC msg=audit(1197324654.830:1482): avc: denied {
name_connect } for pid=20484 comm="mysqld" dest=54859
scontext=root:system_r:mysqld_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1197324654.830:1482): arch=c000003e
syscall=42 success=no exit=-13 a0=e a1=1972e194 a2=10
a3=4504aedc items=0 ppid=20385 pid=20484 auid=0 uid=27
gid=27 euid=27 suid=27 fsuid=27 egid=27 sgid=27 fsgid=27
tty=pts1 comm="mysqld" exe="/usr/libexec/mysqld"
subj=root:system_r:mysqld_t:s0 key=(null)
Hmm...that's a bug then - that should work, and seems to work for me on
Fedora 7.
I can file a bugzilla. But do you know if these types of
changes get backported into RHEL? They're technically not
security exploits so I'm guessing "no".
I had previously wrote this... does this fix my issue?
p.s. Does this patch:
http://www.redhat.com/archives/fedora-extras-commits/2007-November/msg00786.html
... do what I'm trying to accomplish? I see 1186 is added to
the mysqld network ports.
But either way, since it's a recent commit against Fedora,
I'm guessing it will be some time before it gets into
RHEL-5. Actaully, do these types of SELinux targeted-policy
commits even get backported into RHEL? It's not really a
security patch, as such.
Thanks for your help, Stephen.
johnn
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
