Eric Paris wrote:
1) Is there a better way to allow mysqld to connect to the
cluster nodes besides just allowing mysqld to make any tcp
connect?
Maybe. But I don't know. Does name_connect/the socket controls pay
attention to rules set by SECMARK? If not, I don't know how to make
this work. Even if it will pay attention to labeling from SECMARK is
there some sort of iptables matching which would find this?
I glanced over the secmark stuff at:
http://james-morris.livejournal.com/11010.html
Can't say I fully understand it, but right off the bat, I
would say if I'm opening the ephemeral ports for
mysqld_packet_t (is that right?) via iptables, then the main
win for me is that it's not open for all the other ports, in
particular, the privileged ports?
2) If this is changed to the correct behavior in the future,
is this something that Red Hat would backport into existing
RHELs, like RHEL-5?
Dan might be willing to backport the first port change to RHEL5, I'm
not sure. I'd suggest opening a BZ against the policy. If SECMARK
solves your problem (hopefully while I sleep James will answer that
question) open up a BZ for RHEL5 iptables stating that secmark would
be a serious win for you (and if you have paid support open it there
as well) Assuming you do open the secmark BZ please let me know (off
list if you like) the BZ number. (and most/all of this would only
possibly be backported to RHEL5, not RHEL4)
We're moving forward with allowing mysqld to make any tcp
connect, just because we have to, for the moment.
But I'm willing to continue working on this (I have a spare
box I can dedicate to testing this), as it's important to
me, and I think it's going to become more common and more
important to others using SELinux with NDB (mysql clustering).
I'll wait for James's reply first before opening BZ, because
it's very possible secmark does what I need.
johnn
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
