adding only port 1186 to mysqld connect

[Johnny Tan]

Eric Paris wrote:
>> 1) Is there a better way to allow mysqld to connect to the
>> cluster nodes besides just allowing mysqld to make any tcp
>> connect?
> 
> Maybe.  But I don't know.  Does name_connect/the socket controls pay
> attention to rules set by SECMARK?  If not, I don't know how to make
> this work.  Even if it will pay attention to labeling from SECMARK is
> there some sort of iptables matching which would find this?

I glanced over the secmark stuff at:
http://james-morris.livejournal.com/11010.html

Can't say I fully understand it, but right off the bat, I 
would say if I'm opening the ephemeral ports for 
mysqld_packet_t (is that right?) via iptables, then the main 
win for me is that it's not open for all the other ports, in 
particular, the privileged ports?



>> 2) If this is changed to the correct behavior in the future,
>> is this something that Red Hat would backport into existing
>> RHELs, like RHEL-5?
> 
>  Dan might be willing to backport the first port change to RHEL5, I'm
> not sure.  I'd suggest opening a BZ against the policy.  If SECMARK
> solves your problem (hopefully while I sleep James will answer that
> question) open up a BZ for RHEL5 iptables stating that secmark would
> be a serious win for you (and if you have paid support open it there
> as well)  Assuming you do open the secmark BZ please let me know (off
> list if you like) the BZ number.   (and most/all of this would only
> possibly be backported to RHEL5, not RHEL4)

We're moving forward with allowing mysqld to make any tcp 
connect, just because we have to, for the moment.

But I'm willing to continue working on this (I have a spare 
box I can dedicate to testing this), as it's important to 
me, and I think it's going to become more common and more 
important to others using SELinux with NDB (mysql clustering).

I'll wait for James's reply first before opening BZ, because 
it's very possible secmark does what I need.

johnn