FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 12-10-2007, 08:41 PM
Johnny Tan
 
Default adding only port 1186 to mysqld connect

I'm doing mysql clustering (aka NDB). It requires a mysqld
client to connect to the cluster management node on port 1186.


By default, SELinux disallows mysqld from making tcp
connections (except to port 3306, I think?, not sure).


To allow mysqld to connect to the management node, I ran
audit2allow on the denials and got this:

allow mysqld_t port_t:tcp_socket name_connect;

But this rule seems *too* open. Ideally, I'd like it to only
be able to connect on port 1186.


Then I tried:
semanage port -a -t mysqld_port_t -p tcp 1186

But this didn't work either. I think this just allows mysqld
to bind to port 1186. (Or maybe not. Because, even without
this rule, it's still able to bind to 1186 on the management
nodes. So maybe this means something else.)



How would I accomplish adding ONLY port 1186 to what mysqld
can do a tcp connect to?



p.s. Does this patch:
http://www.redhat.com/archives/fedora-extras-commits/2007-November/msg00786.html

... do what I'm trying to accomplish? I see 1186 is added to
the mysqld network ports.


But either way, since it's a recent commit against Fedora,
I'm guessing it will be some time before it gets into
RHEL-5. Actaully, do these types of SELinux targeted-policy
commits even get backported into RHEL? It's not really a
security patch, as such.


johnn

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 10:43 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org