Bug 669821

Summary: SELinux policy should allow Oracle ports 1521, 2483, 2484
Product: Red Hat Enterprise Linux 5 Reporter: Rich Graves <rgraves>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: low    
Version: 5.6CC: dwalsh
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-19 14:32:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Rich Graves 2011-01-14 21:34:38 UTC 
tcp 1521 is the legacy Oracle port. Newer installations use tcp 2483, which is denied by the latest SELinux policy. 2484 is the new reserved port for Oracle over SSL.

To Repro:

1) setsebool -P httpd_can_network_connect_db=1
2) Have a script attempt outbound connection on port 2483 and 2484

Suggested fix: Same as Bug 570481, add tcp 2483 and 2484 to the list.

Workaround: httpd_can_network_connect=1 "works," but too permissively.

Is there an upgrade-safe way for customers to customize the list of ports?
Comment 1 Daniel Walsh 2011-01-14 21:55:05 UTC 
You can define these ports as mysql or postgresl ports.

semanage port -a -t mysqld_port_t -p tcp 1521
semanage port -a -t mysqld_port_t -p tcp 2483
semanage port -a -t mysqld_port_t -p tcp 2484