On Tue, 2007-12-11 at 14:57 -0500, Eric Paris wrote:
On 12/11/07, Johnny Tan linuxweb@gmail.com wrote:
Stephen Smalley wrote:
On Mon, 2007-12-10 at 17:14 -0500, Johnny Tan wrote:
Stephen Smalley wrote:
Then I tried: semanage port -a -t mysqld_port_t -p tcp 1186
What does semanage port -l | grep 1186 show afterward?
# semanage port -l | grep 1186 mysqld_port_t tcp 1186, 3306
What do you mean by "didn't work", i.e. same avc message repeated afterward upon subsequent attempts to connect?
type=AVC msg=audit(1197324654.830:1482): avc: denied { name_connect } for pid=20484 comm="mysqld" dest=54859 scontext=root:system_r:mysqld_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1197324654.830:1482): arch=c000003e syscall=42 success=no exit=-13 a0=e a1=1972e194 a2=10 a3=4504aedc items=0 ppid=20385 pid=20484 auid=0 uid=27 gid=27 euid=27 suid=27 fsuid=27 egid=27 sgid=27 fsgid=27 tty=pts1 comm="mysqld" exe="/usr/libexec/mysqld" subj=root:system_r:mysqld_t:s0 key=(null)
Hmm...that's a bug then - that should work, and seems to work for me on Fedora 7.
I can file a bugzilla. But do you know if these types of changes get backported into RHEL? They're technically not security exploits so I'm guessing "no".
Actually, isn't that AVC saying the port you are connecting to is 54859, not 1186?
Ah, good catch, I missed that. In which case semanage and the kernel are working correctly.
I doubt he wants to map that to mysqld_port_t though - since it comes from the local port range. So there's a question - should we be mapping everything in the local port range to a single type for name_connect checking? name_bind doesn't get checked against that range at all since the kernel internally allocates from it.
Sounds like a job for secmark to control, but not sure how the port is originally conveyed to mysqld for use.
selinux@lists.fedoraproject.org