adding only port 1186 to mysqld connect

Stephen Smalley sds at tycho.nsa.gov
Tue Dec 11 18:30:28 UTC 2007 

On Mon, 2007-12-10 at 17:14 -0500, Johnny Tan wrote:
> Stephen Smalley wrote:
> >> Then I tried:
> >> semanage port -a -t mysqld_port_t -p tcp 1186
> > 
> > What does semanage port -l | grep 1186 show afterward?
> 
> # semanage port -l | grep 1186
> mysqld_port_t                  tcp      1186, 3306
> 
> 
> > What do you mean by "didn't work", i.e. same avc message repeated
> > afterward upon subsequent attempts to connect?
> 
> type=AVC msg=audit(1197324654.830:1482): avc:  denied  { 
> name_connect } for  pid=20484 comm="mysqld" dest=54859 
> scontext=root:system_r:mysqld_t:s0 
> tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
> type=SYSCALL msg=audit(1197324654.830:1482): arch=c000003e 
> syscall=42 success=no exit=-13 a0=e a1=1972e194 a2=10 
> a3=4504aedc items=0 ppid=20385 pid=20484 auid=0 uid=27 
> gid=27 euid=27 suid=27 fsuid=27 egid=27 sgid=27 fsgid=27 
> tty=pts1 comm="mysqld" exe="/usr/libexec/mysqld" 
> subj=root:system_r:mysqld_t:s0 key=(null)

Hmm...that's a bug then - that should work, and seems to work for me on
Fedora 7.

> > The command should cause the port to be treated with that type for all
> > subsequent permission checks, whether name_connect or name_bind.
> > 
> >> But this didn't work either. I think this just allows mysqld 
> >> to bind to port 1186. (Or maybe not. Because, even without 
> >> this rule, it's still able to bind to 1186 on the management 
> >> nodes. So maybe this means something else.)
> >>
> >>
> >> How would I accomplish adding ONLY port 1186 to what mysqld 
> >> can do a tcp connect to?
> >>
> >>
> >> p.s. Does this patch:
> >> http://www.redhat.com/archives/fedora-extras-commits/2007-November/msg00786.html
> >>
> >> ... do what I'm trying to accomplish? I see 1186 is added to 
> >> the mysqld network ports.
> >>
> >> But either way, since it's a recent commit against Fedora, 
> >> I'm guessing it will be some time before it gets into 
> >> RHEL-5. Actaully, do these types of SELinux targeted-policy 
> >> commits even get backported into RHEL? It's not really a 
> >> security patch, as such.
> >>
> >> johnn
> >>
> >> --
> >> fedora-selinux-list mailing list
> >> fedora-selinux-list at redhat.com
> >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list