Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   adding only port 1186 to mysqld connect (http://www.linux-archive.org/fedora-selinux-support/16639-adding-only-port-1186-mysqld-connect.html)

Stephen Smalley 12-10-2007 09:01 PM

adding only port 1186 to mysqld connect
 
On Mon, 2007-12-10 at 16:41 -0500, Johnny Tan wrote:
> I'm doing mysql clustering (aka NDB). It requires a mysqld
> client to connect to the cluster management node on port 1186.
>
> By default, SELinux disallows mysqld from making tcp
> connections (except to port 3306, I think?, not sure).
>
> To allow mysqld to connect to the management node, I ran
> audit2allow on the denials and got this:
> allow mysqld_t port_t:tcp_socket name_connect;
>
> But this rule seems *too* open. Ideally, I'd like it to only
> be able to connect on port 1186.
>
> Then I tried:
> semanage port -a -t mysqld_port_t -p tcp 1186

What does semanage port -l | grep 1186 show afterward?

What do you mean by "didn't work", i.e. same avc message repeated
afterward upon subsequent attempts to connect?

The command should cause the port to be treated with that type for all
subsequent permission checks, whether name_connect or name_bind.

> But this didn't work either. I think this just allows mysqld
> to bind to port 1186. (Or maybe not. Because, even without
> this rule, it's still able to bind to 1186 on the management
> nodes. So maybe this means something else.)
>
>
> How would I accomplish adding ONLY port 1186 to what mysqld
> can do a tcp connect to?
>
>
> p.s. Does this patch:
> http://www.redhat.com/archives/fedora-extras-commits/2007-November/msg00786.html
>
> ... do what I'm trying to accomplish? I see 1186 is added to
> the mysqld network ports.
>
> But either way, since it's a recent commit against Fedora,
> I'm guessing it will be some time before it gets into
> RHEL-5. Actaully, do these types of SELinux targeted-policy
> commits even get backported into RHEL? It's not really a
> security patch, as such.
>
> johnn
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Johnny Tan 12-10-2007 09:14 PM

adding only port 1186 to mysqld connect
 
Stephen Smalley wrote:

Then I tried:
semanage port -a -t mysqld_port_t -p tcp 1186


What does semanage port -l | grep 1186 show afterward?


# semanage port -l | grep 1186
mysqld_port_t tcp 1186, 3306



What do you mean by "didn't work", i.e. same avc message repeated
afterward upon subsequent attempts to connect?


type=AVC msg=audit(1197324654.830:1482): avc: denied {
name_connect } for pid=20484 comm="mysqld" dest=54859
scontext=root:system_r:mysqld_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1197324654.830:1482): arch=c000003e
syscall=42 success=no exit=-13 a0=e a1=1972e194 a2=10
a3=4504aedc items=0 ppid=20385 pid=20484 auid=0 uid=27
gid=27 euid=27 suid=27 fsuid=27 egid=27 sgid=27 fsgid=27
tty=pts1 comm="mysqld" exe="/usr/libexec/mysqld"
subj=root:system_r:mysqld_t:s0 key=(null)




The command should cause the port to be treated with that type for all
subsequent permission checks, whether name_connect or name_bind.

But this didn't work either. I think this just allows mysqld
to bind to port 1186. (Or maybe not. Because, even without
this rule, it's still able to bind to 1186 on the management
nodes. So maybe this means something else.)



How would I accomplish adding ONLY port 1186 to what mysqld
can do a tcp connect to?



p.s. Does this patch:
http://www.redhat.com/archives/fedora-extras-commits/2007-November/msg00786.html

... do what I'm trying to accomplish? I see 1186 is added to
the mysqld network ports.


But either way, since it's a recent commit against Fedora,
I'm guessing it will be some time before it gets into
RHEL-5. Actaully, do these types of SELinux targeted-policy
commits even get backported into RHEL? It's not really a
security patch, as such.


johnn

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Stephen Smalley 12-11-2007 05:30 PM

adding only port 1186 to mysqld connect
 
On Mon, 2007-12-10 at 17:14 -0500, Johnny Tan wrote:
> Stephen Smalley wrote:
> >> Then I tried:
> >> semanage port -a -t mysqld_port_t -p tcp 1186
> >
> > What does semanage port -l | grep 1186 show afterward?
>
> # semanage port -l | grep 1186
> mysqld_port_t tcp 1186, 3306
>
>
> > What do you mean by "didn't work", i.e. same avc message repeated
> > afterward upon subsequent attempts to connect?
>
> type=AVC msg=audit(1197324654.830:1482): avc: denied {
> name_connect } for pid=20484 comm="mysqld" dest=54859
> scontext=root:system_r:mysqld_t:s0
> tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
> type=SYSCALL msg=audit(1197324654.830:1482): arch=c000003e
> syscall=42 success=no exit=-13 a0=e a1=1972e194 a2=10
> a3=4504aedc items=0 ppid=20385 pid=20484 auid=0 uid=27
> gid=27 euid=27 suid=27 fsuid=27 egid=27 sgid=27 fsgid=27
> tty=pts1 comm="mysqld" exe="/usr/libexec/mysqld"
> subj=root:system_r:mysqld_t:s0 key=(null)

Hmm...that's a bug then - that should work, and seems to work for me on
Fedora 7.

> > The command should cause the port to be treated with that type for all
> > subsequent permission checks, whether name_connect or name_bind.
> >
> >> But this didn't work either. I think this just allows mysqld
> >> to bind to port 1186. (Or maybe not. Because, even without
> >> this rule, it's still able to bind to 1186 on the management
> >> nodes. So maybe this means something else.)
> >>
> >>
> >> How would I accomplish adding ONLY port 1186 to what mysqld
> >> can do a tcp connect to?
> >>
> >>
> >> p.s. Does this patch:
> >> http://www.redhat.com/archives/fedora-extras-commits/2007-November/msg00786.html
> >>
> >> ... do what I'm trying to accomplish? I see 1186 is added to
> >> the mysqld network ports.
> >>
> >> But either way, since it's a recent commit against Fedora,
> >> I'm guessing it will be some time before it gets into
> >> RHEL-5. Actaully, do these types of SELinux targeted-policy
> >> commits even get backported into RHEL? It's not really a
> >> security patch, as such.
> >>
> >> johnn
> >>
> >> --
> >> fedora-selinux-list mailing list
> >> fedora-selinux-list@redhat.com
> >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Johnny Tan 12-11-2007 06:41 PM

adding only port 1186 to mysqld connect
 
Stephen Smalley wrote:

On Mon, 2007-12-10 at 17:14 -0500, Johnny Tan wrote:

Stephen Smalley wrote:

Then I tried:
semanage port -a -t mysqld_port_t -p tcp 1186

What does semanage port -l | grep 1186 show afterward?

# semanage port -l | grep 1186
mysqld_port_t tcp 1186, 3306



What do you mean by "didn't work", i.e. same avc message repeated
afterward upon subsequent attempts to connect?
type=AVC msg=audit(1197324654.830:1482): avc: denied {
name_connect } for pid=20484 comm="mysqld" dest=54859
scontext=root:system_r:mysqld_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1197324654.830:1482): arch=c000003e
syscall=42 success=no exit=-13 a0=e a1=1972e194 a2=10
a3=4504aedc items=0 ppid=20385 pid=20484 auid=0 uid=27
gid=27 euid=27 suid=27 fsuid=27 egid=27 sgid=27 fsgid=27
tty=pts1 comm="mysqld" exe="/usr/libexec/mysqld"
subj=root:system_r:mysqld_t:s0 key=(null)


Hmm...that's a bug then - that should work, and seems to work for me on
Fedora 7.


I can file a bugzilla. But do you know if these types of
changes get backported into RHEL? They're technically not
security exploits so I'm guessing "no".


I had previously wrote this... does this fix my issue?


p.s. Does this patch:
http://www.redhat.com/archives/fedora-extras-commits/2007-November/msg00786.html

... do what I'm trying to accomplish? I see 1186 is added to
the mysqld network ports.


But either way, since it's a recent commit against Fedora,
I'm guessing it will be some time before it gets into
RHEL-5. Actaully, do these types of SELinux targeted-policy
commits even get backported into RHEL? It's not really a
security patch, as such.



Thanks for your help, Stephen.
johnn

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Stephen Smalley 12-11-2007 07:27 PM

adding only port 1186 to mysqld connect
 
On Tue, 2007-12-11 at 14:57 -0500, Eric Paris wrote:
> On 12/11/07, Johnny Tan <linuxweb@gmail.com> wrote:
> > Stephen Smalley wrote:
> > > On Mon, 2007-12-10 at 17:14 -0500, Johnny Tan wrote:
> > >> Stephen Smalley wrote:
> > >>>> Then I tried:
> > >>>> semanage port -a -t mysqld_port_t -p tcp 1186
> > >>> What does semanage port -l | grep 1186 show afterward?
> > >> # semanage port -l | grep 1186
> > >> mysqld_port_t tcp 1186, 3306
> > >>
> > >>
> > >>> What do you mean by "didn't work", i.e. same avc message repeated
> > >>> afterward upon subsequent attempts to connect?
> > >> type=AVC msg=audit(1197324654.830:1482): avc: denied {
> > >> name_connect } for pid=20484 comm="mysqld" dest=54859
> > >> scontext=root:system_r:mysqld_t:s0
> > >> tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
> > >> type=SYSCALL msg=audit(1197324654.830:1482): arch=c000003e
> > >> syscall=42 success=no exit=-13 a0=e a1=1972e194 a2=10
> > >> a3=4504aedc items=0 ppid=20385 pid=20484 auid=0 uid=27
> > >> gid=27 euid=27 suid=27 fsuid=27 egid=27 sgid=27 fsgid=27
> > >> tty=pts1 comm="mysqld" exe="/usr/libexec/mysqld"
> > >> subj=root:system_r:mysqld_t:s0 key=(null)
> > >
> > > Hmm...that's a bug then - that should work, and seems to work for me on
> > > Fedora 7.
> >
> > I can file a bugzilla. But do you know if these types of
> > changes get backported into RHEL? They're technically not
> > security exploits so I'm guessing "no".
>
> Actually, isn't that AVC saying the port you are connecting to is
> 54859, not 1186?

Ah, good catch, I missed that. In which case semanage and the kernel
are working correctly.

I doubt he wants to map that to mysqld_port_t though - since it comes
from the local port range. So there's a question - should we be mapping
everything in the local port range to a single type for name_connect
checking? name_bind doesn't get checked against that range at all since
the kernel internally allocates from it.

Sounds like a job for secmark to control, but not sure how the port is
originally conveyed to mysqld for use.

--
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Johnny Tan 12-11-2007 08:48 PM

adding only port 1186 to mysqld connect
 
Eric Paris wrote:

On 12/11/07, Johnny Tan <linuxweb@gmail.com> wrote:

Stephen Smalley wrote:

On Mon, 2007-12-10 at 17:14 -0500, Johnny Tan wrote:

Stephen Smalley wrote:

Then I tried:
semanage port -a -t mysqld_port_t -p tcp 1186

What does semanage port -l | grep 1186 show afterward?

# semanage port -l | grep 1186
mysqld_port_t tcp 1186, 3306



What do you mean by "didn't work", i.e. same avc message repeated
afterward upon subsequent attempts to connect?

type=AVC msg=audit(1197324654.830:1482): avc: denied {
name_connect } for pid=20484 comm="mysqld" dest=54859
scontext=root:system_r:mysqld_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1197324654.830:1482): arch=c000003e
syscall=42 success=no exit=-13 a0=e a1=1972e194 a2=10
a3=4504aedc items=0 ppid=20385 pid=20484 auid=0 uid=27
gid=27 euid=27 suid=27 fsuid=27 egid=27 sgid=27 fsgid=27
tty=pts1 comm="mysqld" exe="/usr/libexec/mysqld"
subj=root:system_r:mysqld_t:s0 key=(null)

Hmm...that's a bug then - that should work, and seems to work for me on
Fedora 7.

I can file a bugzilla. But do you know if these types of
changes get backported into RHEL? They're technically not
security exploits so I'm guessing "no".


Actually, isn't that AVC saying the port you are connecting to is
54859, not 1186?


You're right. I just saw the name_connect and assumed it was
1186 again. It seems it only connects to the cluster
manager on port 1186. Once that's successful (which it now
is with the semanage rule above), it then makes a connection
to every node in the cluster, using ports in the ephemeral
port range.


And it's those extra node connect attempts that are being
denied. There's one denial for every single cluster node. (I
didn't look closely, and thought those were simply multiple
denials for the 1186 connect.)




So, my two follow-up questions are:

1) Is there a better way to allow mysqld to connect to the
cluster nodes besides just allowing mysqld to make any tcp
connect?


2) If this is changed to the correct behavior in the future,
is this something that Red Hat would backport into existing
RHELs, like RHEL-5?


johnn

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Johnny Tan 12-11-2007 09:55 PM

adding only port 1186 to mysqld connect
 
Eric Paris wrote:

1) Is there a better way to allow mysqld to connect to the
cluster nodes besides just allowing mysqld to make any tcp
connect?


Maybe. But I don't know. Does name_connect/the socket controls pay
attention to rules set by SECMARK? If not, I don't know how to make
this work. Even if it will pay attention to labeling from SECMARK is
there some sort of iptables matching which would find this?


I glanced over the secmark stuff at:
http://james-morris.livejournal.com/11010.html

Can't say I fully understand it, but right off the bat, I
would say if I'm opening the ephemeral ports for
mysqld_packet_t (is that right?) via iptables, then the main
win for me is that it's not open for all the other ports, in
particular, the privileged ports?





2) If this is changed to the correct behavior in the future,
is this something that Red Hat would backport into existing
RHELs, like RHEL-5?


Dan might be willing to backport the first port change to RHEL5, I'm
not sure. I'd suggest opening a BZ against the policy. If SECMARK
solves your problem (hopefully while I sleep James will answer that
question) open up a BZ for RHEL5 iptables stating that secmark would
be a serious win for you (and if you have paid support open it there
as well) Assuming you do open the secmark BZ please let me know (off
list if you like) the BZ number. (and most/all of this would only
possibly be backported to RHEL5, not RHEL4)


We're moving forward with allowing mysqld to make any tcp
connect, just because we have to, for the moment.


But I'm willing to continue working on this (I have a spare
box I can dedicate to testing this), as it's important to
me, and I think it's going to become more common and more
important to others using SELinux with NDB (mysql clustering).


I'll wait for James's reply first before opening BZ, because
it's very possible secmark does what I need.


johnn

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list


All times are GMT. The time now is 11:29 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.