Eric Paris wrote:
- Is there a better way to allow mysqld to connect to the
cluster nodes besides just allowing mysqld to make any tcp connect?
Maybe. But I don't know. Does name_connect/the socket controls pay attention to rules set by SECMARK? If not, I don't know how to make this work. Even if it will pay attention to labeling from SECMARK is there some sort of iptables matching which would find this?
I glanced over the secmark stuff at: http://james-morris.livejournal.com/11010.html
Can't say I fully understand it, but right off the bat, I would say if I'm opening the ephemeral ports for mysqld_packet_t (is that right?) via iptables, then the main win for me is that it's not open for all the other ports, in particular, the privileged ports?
- If this is changed to the correct behavior in the future,
is this something that Red Hat would backport into existing RHELs, like RHEL-5?
Dan might be willing to backport the first port change to RHEL5, I'm not sure. I'd suggest opening a BZ against the policy. If SECMARK solves your problem (hopefully while I sleep James will answer that question) open up a BZ for RHEL5 iptables stating that secmark would be a serious win for you (and if you have paid support open it there as well) Assuming you do open the secmark BZ please let me know (off list if you like) the BZ number. (and most/all of this would only possibly be backported to RHEL5, not RHEL4)
We're moving forward with allowing mysqld to make any tcp connect, just because we have to, for the moment.
But I'm willing to continue working on this (I have a spare box I can dedicate to testing this), as it's important to me, and I think it's going to become more common and more important to others using SELinux with NDB (mysql clustering).
I'll wait for James's reply first before opening BZ, because it's very possible secmark does what I need.
johnn
selinux@lists.fedoraproject.org