Bug 1262125

Summary: RFE: a separate mysql boolean to allow the "feedback" function
Product: [Fedora] Fedora Reporter: Göran Uddeborg <goeran>
Component: selinux-policyAssignee: Vit Mojzis <vmojzis>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: medium    
Version: 23CC: dominick.grift, dwalsh, goeran, lvrabec, mgrepl, plautrba
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-152.fc23 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-10-24 12:24:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Göran Uddeborg 2015-09-10 21:01:35 UTC 
If one enables the "feedback" feature in MariaDB (I did after listening to a speech by Michael "Monty" Widenius where he asked the audience to do that) one gets AVC:s about mysqld_t trying to name_connect to http_port_t.  This can be allowed by enabling the mysql_connect_any boolean.  But that allows it to connect to ANY port.  Typically, the MariaDB server does not need to connect to arbitrary port, while the "feedback" feature is a specific thing built in.

I would suggest to create a separate boolean to allow this.  I guess it would have to allow connection to ports 80, 81, etc. too since they share the http_port_t type.  But it would still be much more restricted than allowing ANY port.

Would it make sense?
Comment 1 Miroslav Grepl 2015-09-21 07:57:51 UTC 
Yes, it makes sense.

Thank you for your report.
Comment 2 Vit Mojzis 2015-10-15 16:03:10 UTC 
commit 74686ad7d87ac241bad3edb0d9620b2bf5daa9f7
Merge: 1717c93 a6dbe7f
Author: Lukas Vrabec <wrabcak.github.com>
Date:   Thu Oct 15 17:10:49 2015 +0200

    Merge pull request #51 from vmojzis/f23-contrib
    
    Add boolean allowing mysqld to connect to http port.  BZ #1262125

commit a6dbe7fd41c5c5efd301bf2c99b833d4fc1ec2cd
Author: Vit Mojzis <vmojzis>
Date:   Thu Oct 15 16:10:50 2015 +0200

    Add boolean allowing mysqld to connect to http port. #1262125
Comment 3 Göran Uddeborg 2015-10-15 18:04:25 UTC 
I was flagged "needinfo", but I'm not sure what the question is.  What is it I should answer?  When -152.fc23 appears on koji I can try it out.  Is that what you meant?
Comment 4 Fedora Update System 2015-10-21 11:42:21 UTC 
selinux-policy-3.13.1-152.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-456c6b6cb4
Comment 5 Vit Mojzis 2015-10-21 12:44:02 UTC 
(In reply to Göran Uddeborg from comment #3)
Sorry, I did that by accident.
Comment 6 Göran Uddeborg 2015-10-21 21:00:33 UTC 
In that case, you can consider it answered! :-)
Comment 7 Fedora Update System 2015-10-24 12:09:55 UTC 
selinux-policy-3.13.1-152.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update selinux-policy'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-456c6b6cb4
Comment 8 Fedora Update System 2015-10-24 12:24:17 UTC 
selinux-policy-3.13.1-152.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.