Stephen Smalley wrote:
On Mon, 2007-12-10 at 17:14 -0500, Johnny Tan wrote:
Stephen Smalley wrote:
Then I tried: semanage port -a -t mysqld_port_t -p tcp 1186
What does semanage port -l | grep 1186 show afterward?
# semanage port -l | grep 1186 mysqld_port_t tcp 1186, 3306
What do you mean by "didn't work", i.e. same avc message repeated afterward upon subsequent attempts to connect?
type=AVC msg=audit(1197324654.830:1482): avc: denied { name_connect } for pid=20484 comm="mysqld" dest=54859 scontext=root:system_r:mysqld_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1197324654.830:1482): arch=c000003e syscall=42 success=no exit=-13 a0=e a1=1972e194 a2=10 a3=4504aedc items=0 ppid=20385 pid=20484 auid=0 uid=27 gid=27 euid=27 suid=27 fsuid=27 egid=27 sgid=27 fsgid=27 tty=pts1 comm="mysqld" exe="/usr/libexec/mysqld" subj=root:system_r:mysqld_t:s0 key=(null)
Hmm...that's a bug then - that should work, and seems to work for me on Fedora 7.
I can file a bugzilla. But do you know if these types of changes get backported into RHEL? They're technically not security exploits so I'm guessing "no".
I had previously wrote this... does this fix my issue?
p.s. Does this patch: http://www.redhat.com/archives/fedora-extras-commits/2007-November/msg00786....
... do what I'm trying to accomplish? I see 1186 is added to the mysqld network ports.
But either way, since it's a recent commit against Fedora, I'm guessing it will be some time before it gets into RHEL-5. Actaully, do these types of SELinux targeted-policy commits even get backported into RHEL? It's not really a security patch, as such.
Thanks for your help, Stephen. johnn