Re: adding only port 1186 to mysqld connect

[Johnny Tan <linuxweb gmail com>]

Stephen Smalley wrote:
> On Mon, 2007-12-10 at 17:14 -0500, Johnny Tan wrote:
> > Stephen Smalley wrote:
> > > > Then I tried:
> > > > semanage port -a -t mysqld_port_t -p tcp 1186
> > > What does semanage port -l | grep 1186 show afterward?
> > # semanage port -l | grep 1186
> > mysqld_port_t                  tcp      1186, 3306
> >
> >
> > > What do you mean by "didn't work", i.e. same avc message repeated
> > > afterward upon subsequent attempts to connect?
> > type=AVC msg=audit(1197324654.830:1482): avc:  denied  { 
> > name_connect } for  pid=20484 comm="mysqld" dest=54859 
> > scontext=root:system_r:mysqld_t:s0 
> > tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
> > type=SYSCALL msg=audit(1197324654.830:1482): arch=c000003e 
> > syscall=42 success=no exit=-13 a0=e a1=1972e194 a2=10 
> > a3=4504aedc items=0 ppid=20385 pid=20484 auid=0 uid=27 
> > gid=27 euid=27 suid=27 fsuid=27 egid=27 sgid=27 fsgid=27 
> > tty=pts1 comm="mysqld" exe="/usr/libexec/mysqld" 
> > subj=root:system_r:mysqld_t:s0 key=(null)
>
> Hmm...that's a bug then - that should work, and seems to work for me on
> Fedora 7.

I can file a bugzilla. But do you know if these types of 
changes get backported into RHEL? They're technically not 
security exploits so I'm guessing "no".

I had previously wrote this... does this fix my issue?

> > > > p.s. Does this patch:
> > > > http://www.redhat.com/archives/fedora-extras-commits/2007-November/msg00786.html
> > > >
> > > > ... do what I'm trying to accomplish? I see 1186 is added to 
> > > > the mysqld network ports.
> > > >
> > > > But either way, since it's a recent commit against Fedora, 
> > > > I'm guessing it will be some time before it gets into 
> > > > RHEL-5. Actaully, do these types of SELinux targeted-policy 
> > > > commits even get backported into RHEL? It's not really a 
> > > > security patch, as such.


Thanks for your help, Stephen.
johnn