I'm doing mysql clustering (aka NDB). It requires a mysqld client to connect to the cluster management node on port 1186.
By default, SELinux disallows mysqld from making tcp connections (except to port 3306, I think?, not sure).
To allow mysqld to connect to the management node, I ran audit2allow on the denials and got this: allow mysqld_t port_t:tcp_socket name_connect;
But this rule seems *too* open. Ideally, I'd like it to only be able to connect on port 1186.
Then I tried: semanage port -a -t mysqld_port_t -p tcp 1186
But this didn't work either. I think this just allows mysqld to bind to port 1186. (Or maybe not. Because, even without this rule, it's still able to bind to 1186 on the management nodes. So maybe this means something else.)
How would I accomplish adding ONLY port 1186 to what mysqld can do a tcp connect to?
p.s. Does this patch: http://www.redhat.com/archives/fedora-extras-commits/2007-November/msg00786....
... do what I'm trying to accomplish? I see 1186 is added to the mysqld network ports.
But either way, since it's a recent commit against Fedora, I'm guessing it will be some time before it gets into RHEL-5. Actaully, do these types of SELinux targeted-policy commits even get backported into RHEL? It's not really a security patch, as such.
johnn
On Mon, 2007-12-10 at 16:41 -0500, Johnny Tan wrote:
I'm doing mysql clustering (aka NDB). It requires a mysqld client to connect to the cluster management node on port 1186.
By default, SELinux disallows mysqld from making tcp connections (except to port 3306, I think?, not sure).
To allow mysqld to connect to the management node, I ran audit2allow on the denials and got this: allow mysqld_t port_t:tcp_socket name_connect;
But this rule seems *too* open. Ideally, I'd like it to only be able to connect on port 1186.
Then I tried: semanage port -a -t mysqld_port_t -p tcp 1186
What does semanage port -l | grep 1186 show afterward?
What do you mean by "didn't work", i.e. same avc message repeated afterward upon subsequent attempts to connect?
The command should cause the port to be treated with that type for all subsequent permission checks, whether name_connect or name_bind.
But this didn't work either. I think this just allows mysqld to bind to port 1186. (Or maybe not. Because, even without this rule, it's still able to bind to 1186 on the management nodes. So maybe this means something else.)
How would I accomplish adding ONLY port 1186 to what mysqld can do a tcp connect to?
p.s. Does this patch: http://www.redhat.com/archives/fedora-extras-commits/2007-November/msg00786....
... do what I'm trying to accomplish? I see 1186 is added to the mysqld network ports.
But either way, since it's a recent commit against Fedora, I'm guessing it will be some time before it gets into RHEL-5. Actaully, do these types of SELinux targeted-policy commits even get backported into RHEL? It's not really a security patch, as such.
johnn
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Stephen Smalley wrote:
Then I tried: semanage port -a -t mysqld_port_t -p tcp 1186
What does semanage port -l | grep 1186 show afterward?
# semanage port -l | grep 1186 mysqld_port_t tcp 1186, 3306
What do you mean by "didn't work", i.e. same avc message repeated afterward upon subsequent attempts to connect?
type=AVC msg=audit(1197324654.830:1482): avc: denied { name_connect } for pid=20484 comm="mysqld" dest=54859 scontext=root:system_r:mysqld_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1197324654.830:1482): arch=c000003e syscall=42 success=no exit=-13 a0=e a1=1972e194 a2=10 a3=4504aedc items=0 ppid=20385 pid=20484 auid=0 uid=27 gid=27 euid=27 suid=27 fsuid=27 egid=27 sgid=27 fsgid=27 tty=pts1 comm="mysqld" exe="/usr/libexec/mysqld" subj=root:system_r:mysqld_t:s0 key=(null)
The command should cause the port to be treated with that type for all subsequent permission checks, whether name_connect or name_bind.
But this didn't work either. I think this just allows mysqld to bind to port 1186. (Or maybe not. Because, even without this rule, it's still able to bind to 1186 on the management nodes. So maybe this means something else.)
How would I accomplish adding ONLY port 1186 to what mysqld can do a tcp connect to?
p.s. Does this patch: http://www.redhat.com/archives/fedora-extras-commits/2007-November/msg00786....
... do what I'm trying to accomplish? I see 1186 is added to the mysqld network ports.
But either way, since it's a recent commit against Fedora, I'm guessing it will be some time before it gets into RHEL-5. Actaully, do these types of SELinux targeted-policy commits even get backported into RHEL? It's not really a security patch, as such.
johnn
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Mon, 2007-12-10 at 17:14 -0500, Johnny Tan wrote:
Stephen Smalley wrote:
Then I tried: semanage port -a -t mysqld_port_t -p tcp 1186
What does semanage port -l | grep 1186 show afterward?
# semanage port -l | grep 1186 mysqld_port_t tcp 1186, 3306
What do you mean by "didn't work", i.e. same avc message repeated afterward upon subsequent attempts to connect?
type=AVC msg=audit(1197324654.830:1482): avc: denied { name_connect } for pid=20484 comm="mysqld" dest=54859 scontext=root:system_r:mysqld_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1197324654.830:1482): arch=c000003e syscall=42 success=no exit=-13 a0=e a1=1972e194 a2=10 a3=4504aedc items=0 ppid=20385 pid=20484 auid=0 uid=27 gid=27 euid=27 suid=27 fsuid=27 egid=27 sgid=27 fsgid=27 tty=pts1 comm="mysqld" exe="/usr/libexec/mysqld" subj=root:system_r:mysqld_t:s0 key=(null)
Hmm...that's a bug then - that should work, and seems to work for me on Fedora 7.
The command should cause the port to be treated with that type for all subsequent permission checks, whether name_connect or name_bind.
But this didn't work either. I think this just allows mysqld to bind to port 1186. (Or maybe not. Because, even without this rule, it's still able to bind to 1186 on the management nodes. So maybe this means something else.)
How would I accomplish adding ONLY port 1186 to what mysqld can do a tcp connect to?
p.s. Does this patch: http://www.redhat.com/archives/fedora-extras-commits/2007-November/msg00786....
... do what I'm trying to accomplish? I see 1186 is added to the mysqld network ports.
But either way, since it's a recent commit against Fedora, I'm guessing it will be some time before it gets into RHEL-5. Actaully, do these types of SELinux targeted-policy commits even get backported into RHEL? It's not really a security patch, as such.
johnn
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Stephen Smalley wrote:
On Mon, 2007-12-10 at 17:14 -0500, Johnny Tan wrote:
Stephen Smalley wrote:
Then I tried: semanage port -a -t mysqld_port_t -p tcp 1186
What does semanage port -l | grep 1186 show afterward?
# semanage port -l | grep 1186 mysqld_port_t tcp 1186, 3306
What do you mean by "didn't work", i.e. same avc message repeated afterward upon subsequent attempts to connect?
type=AVC msg=audit(1197324654.830:1482): avc: denied { name_connect } for pid=20484 comm="mysqld" dest=54859 scontext=root:system_r:mysqld_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1197324654.830:1482): arch=c000003e syscall=42 success=no exit=-13 a0=e a1=1972e194 a2=10 a3=4504aedc items=0 ppid=20385 pid=20484 auid=0 uid=27 gid=27 euid=27 suid=27 fsuid=27 egid=27 sgid=27 fsgid=27 tty=pts1 comm="mysqld" exe="/usr/libexec/mysqld" subj=root:system_r:mysqld_t:s0 key=(null)
Hmm...that's a bug then - that should work, and seems to work for me on Fedora 7.
I can file a bugzilla. But do you know if these types of changes get backported into RHEL? They're technically not security exploits so I'm guessing "no".
I had previously wrote this... does this fix my issue?
p.s. Does this patch: http://www.redhat.com/archives/fedora-extras-commits/2007-November/msg00786....
... do what I'm trying to accomplish? I see 1186 is added to the mysqld network ports.
But either way, since it's a recent commit against Fedora, I'm guessing it will be some time before it gets into RHEL-5. Actaully, do these types of SELinux targeted-policy commits even get backported into RHEL? It's not really a security patch, as such.
Thanks for your help, Stephen. johnn
selinux@lists.fedoraproject.org