adding only port 1186 to mysqld connect
Johnny Tan
linuxweb at gmail.com
Tue Dec 11 22:55:50 UTC 2007
Eric Paris wrote:
>> 1) Is there a better way to allow mysqld to connect to the
>> cluster nodes besides just allowing mysqld to make any tcp
>> connect?
>
> Maybe. But I don't know. Does name_connect/the socket controls pay
> attention to rules set by SECMARK? If not, I don't know how to make
> this work. Even if it will pay attention to labeling from SECMARK is
> there some sort of iptables matching which would find this?
I glanced over the secmark stuff at:
http://james-morris.livejournal.com/11010.html
Can't say I fully understand it, but right off the bat, I
would say if I'm opening the ephemeral ports for
mysqld_packet_t (is that right?) via iptables, then the main
win for me is that it's not open for all the other ports, in
particular, the privileged ports?
>> 2) If this is changed to the correct behavior in the future,
>> is this something that Red Hat would backport into existing
>> RHELs, like RHEL-5?
>
> Dan might be willing to backport the first port change to RHEL5, I'm
> not sure. I'd suggest opening a BZ against the policy. If SECMARK
> solves your problem (hopefully while I sleep James will answer that
> question) open up a BZ for RHEL5 iptables stating that secmark would
> be a serious win for you (and if you have paid support open it there
> as well) Assuming you do open the secmark BZ please let me know (off
> list if you like) the BZ number. (and most/all of this would only
> possibly be backported to RHEL5, not RHEL4)
We're moving forward with allowing mysqld to make any tcp
connect, just because we have to, for the moment.
But I'm willing to continue working on this (I have a spare
box I can dedicate to testing this), as it's important to
me, and I think it's going to become more common and more
important to others using SELinux with NDB (mysql clustering).
I'll wait for James's reply first before opening BZ, because
it's very possible secmark does what I need.
johnn
More information about the fedora-selinux-list
mailing list