Eric Paris wrote:
On 12/11/07, Johnny Tan <linuxweb@xxxxxxxxx> wrote:
Stephen Smalley wrote:
On Mon, 2007-12-10 at 17:14 -0500, Johnny Tan wrote:
Stephen Smalley wrote:
Then I tried:
semanage port -a -t mysqld_port_t -p tcp 1186
What does semanage port -l | grep 1186 show afterward?
# semanage port -l | grep 1186
mysqld_port_t tcp 1186, 3306
What do you mean by "didn't work", i.e. same avc message repeated
afterward upon subsequent attempts to connect?
type=AVC msg=audit(1197324654.830:1482): avc: denied {
name_connect } for pid=20484 comm="mysqld" dest=54859
scontext=root:system_r:mysqld_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1197324654.830:1482): arch=c000003e
syscall=42 success=no exit=-13 a0=e a1=1972e194 a2=10
a3=4504aedc items=0 ppid=20385 pid=20484 auid=0 uid=27
gid=27 euid=27 suid=27 fsuid=27 egid=27 sgid=27 fsgid=27
tty=pts1 comm="mysqld" exe="/usr/libexec/mysqld"
subj=root:system_r:mysqld_t:s0 key=(null)
Hmm...that's a bug then - that should work, and seems to work for me on
Fedora 7.
I can file a bugzilla. But do you know if these types of
changes get backported into RHEL? They're technically not
security exploits so I'm guessing "no".
Actually, isn't that AVC saying the port you are connecting to is
54859, not 1186?
You're right. I just saw the name_connect and assumed it was
1186 again. It seems it only connects to the cluster
manager on port 1186. Once that's successful (which it now
is with the semanage rule above), it then makes a connection
to every node in the cluster, using ports in the ephemeral
port range.
And it's those extra node connect attempts that are being
denied. There's one denial for every single cluster node. (I
didn't look closely, and thought those were simply multiple
denials for the 1186 connect.)
So, my two follow-up questions are:
1) Is there a better way to allow mysqld to connect to the
cluster nodes besides just allowing mysqld to make any tcp
connect?
2) If this is changed to the correct behavior in the future,
is this something that Red Hat would backport into existing
RHELs, like RHEL-5?
johnn
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
