adding only port 1186 to mysqld connect

Stephen Smalley sds at tycho.nsa.gov
Tue Dec 11 20:27:56 UTC 2007 

On Tue, 2007-12-11 at 14:57 -0500, Eric Paris wrote:
> On 12/11/07, Johnny Tan <linuxweb at gmail.com> wrote:
> > Stephen Smalley wrote:
> > > On Mon, 2007-12-10 at 17:14 -0500, Johnny Tan wrote:
> > >> Stephen Smalley wrote:
> > >>>> Then I tried:
> > >>>> semanage port -a -t mysqld_port_t -p tcp 1186
> > >>> What does semanage port -l | grep 1186 show afterward?
> > >> # semanage port -l | grep 1186
> > >> mysqld_port_t                  tcp      1186, 3306
> > >>
> > >>
> > >>> What do you mean by "didn't work", i.e. same avc message repeated
> > >>> afterward upon subsequent attempts to connect?
> > >> type=AVC msg=audit(1197324654.830:1482): avc:  denied  {
> > >> name_connect } for  pid=20484 comm="mysqld" dest=54859
> > >> scontext=root:system_r:mysqld_t:s0
> > >> tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
> > >> type=SYSCALL msg=audit(1197324654.830:1482): arch=c000003e
> > >> syscall=42 success=no exit=-13 a0=e a1=1972e194 a2=10
> > >> a3=4504aedc items=0 ppid=20385 pid=20484 auid=0 uid=27
> > >> gid=27 euid=27 suid=27 fsuid=27 egid=27 sgid=27 fsgid=27
> > >> tty=pts1 comm="mysqld" exe="/usr/libexec/mysqld"
> > >> subj=root:system_r:mysqld_t:s0 key=(null)
> > >
> > > Hmm...that's a bug then - that should work, and seems to work for me on
> > > Fedora 7.
> >
> > I can file a bugzilla. But do you know if these types of
> > changes get backported into RHEL? They're technically not
> > security exploits so I'm guessing "no".
> 
> Actually, isn't that AVC saying the port you are connecting to is
> 54859, not 1186?

Ah, good catch, I missed that.  In which case semanage and the kernel
are working correctly.

I doubt he wants to map that to mysqld_port_t though - since it comes
from the local port range.  So there's a question - should we be mapping
everything in the local port range to a single type for name_connect
checking?  name_bind doesn't get checked against that range at all since
the kernel internally allocates from it.

Sounds like a job for secmark to control, but not sure how the port is
originally conveyed to mysqld for use.

-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list