adding only port 1186 to mysqld connect
Johnny Tan
linuxweb at gmail.com
Mon Dec 10 22:14:10 UTC 2007
Stephen Smalley wrote:
>> Then I tried:
>> semanage port -a -t mysqld_port_t -p tcp 1186
>
> What does semanage port -l | grep 1186 show afterward?
# semanage port -l | grep 1186
mysqld_port_t tcp 1186, 3306
> What do you mean by "didn't work", i.e. same avc message repeated
> afterward upon subsequent attempts to connect?
type=AVC msg=audit(1197324654.830:1482): avc: denied {
name_connect } for pid=20484 comm="mysqld" dest=54859
scontext=root:system_r:mysqld_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1197324654.830:1482): arch=c000003e
syscall=42 success=no exit=-13 a0=e a1=1972e194 a2=10
a3=4504aedc items=0 ppid=20385 pid=20484 auid=0 uid=27
gid=27 euid=27 suid=27 fsuid=27 egid=27 sgid=27 fsgid=27
tty=pts1 comm="mysqld" exe="/usr/libexec/mysqld"
subj=root:system_r:mysqld_t:s0 key=(null)
> The command should cause the port to be treated with that type for all
> subsequent permission checks, whether name_connect or name_bind.
>
>> But this didn't work either. I think this just allows mysqld
>> to bind to port 1186. (Or maybe not. Because, even without
>> this rule, it's still able to bind to 1186 on the management
>> nodes. So maybe this means something else.)
>>
>>
>> How would I accomplish adding ONLY port 1186 to what mysqld
>> can do a tcp connect to?
>>
>>
>> p.s. Does this patch:
>> http://www.redhat.com/archives/fedora-extras-commits/2007-November/msg00786.html
>>
>> ... do what I'm trying to accomplish? I see 1186 is added to
>> the mysqld network ports.
>>
>> But either way, since it's a recent commit against Fedora,
>> I'm guessing it will be some time before it gets into
>> RHEL-5. Actaully, do these types of SELinux targeted-policy
>> commits even get backported into RHEL? It's not really a
>> security patch, as such.
>>
>> johnn
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
More information about the fedora-selinux-list
mailing list