Bug 1209180 - MongoDB is not in httpd_can_network_connect_db
Summary: MongoDB is not in httpd_can_network_connect_db
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 21
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-04-06 15:37 UTC by John Orthoefer
Modified: 2015-04-22 22:44 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.13.1-105.13.fc21
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-04-22 22:44:22 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description John Orthoefer 2015-04-06 15:37:21 UTC 
Description of problem:

Mongodb port of tcp/27017 does not seem to included in httpd_can_network_connect_db.  Since Mongo is part of the distribution. The policy should be updated so that the  sebool includes the port.


Version-Release number of selected component (if applicable):
selinux-policy-targeted.noarch   3.13.1-105.9.fc21
selinux-policy-targeted.noarch  3.12.1-197.fc20


How reproducible:
Install MongoDB, and Httpd, use a script run by httpd to connect to mongoldb


Steps to Reproduce:
1.
2.
3.

Actual results:
connection failure


Expected results:
connection allowed/denied based the setting of httpd_can_network_connect_db


Additional info:
Comment 1 John Orthoefer 2015-04-06 15:40:23 UTC 
Listing of http_can_network_connect_db from a fresh installed FC21 machine.

[root@dhcp89-089-026 ~]# yum list installed | grep -i policy
policycoreutils.x86_64           2.3-7.1.fc21       @koji-override-0/$releasever
selinux-policy.noarch            3.13.1-105.9.fc21  @updates                    
selinux-policy-targeted.noarch   3.13.1-105.9.fc21  @updates                    
[root@dhcp89-089-026 ~]# sesearch -A -s httpd_t -b httpd_can_network_connect_db -p name_connect
Found 5 semantic av rules:
   allow httpd_t oracle_port_t : tcp_socket name_connect ; 
   allow httpd_t postgresql_port_t : tcp_socket { recv_msg send_msg name_connect } ; 
   allow httpd_t mssql_port_t : tcp_socket name_connect ; 
   allow httpd_t gds_db_port_t : tcp_socket name_connect ; 
   allow httpd_t mysqld_port_t : tcp_socket { recv_msg send_msg name_connect } ; 

[root@dhcp89-089-026 ~]#
Comment 2 Lukas Vrabec 2015-04-07 13:55:49 UTC 
commit 97db01b1b05323a83b8d8b15b4a8eea57bd1b167
Author: Lukas Vrabec <lvrabec>
Date:   Tue Apr 7 15:54:48 2015 +0200

    Add mongodb port to httpd_can_network_connect_db interface. BZ(1209180)
Comment 3 John Orthoefer 2015-04-07 14:05:34 UTC 
Can this change be back ported to fc20 as well?
Comment 4 Lukas Vrabec 2015-04-07 14:12:06 UTC 
Sure, 

commit 90179ad6fee82a00f25bfceecd8ebdfd8f8e2077
Author: Lukas Vrabec <lvrabec>
Date:   Tue Apr 7 15:54:48 2015 +0200

    Add mongodb port to httpd_can_network_connect_db interface. BZ(1209180)
Comment 5 Fedora Update System 2015-04-16 21:30:26 UTC 
selinux-policy-3.13.1-105.13.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.13.fc21
Comment 6 Fedora Update System 2015-04-18 09:40:16 UTC 
Package selinux-policy-3.13.1-105.13.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-105.13.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-6316/selinux-policy-3.13.1-105.13.fc21
then log in and leave karma (feedback).
Comment 7 Fedora Update System 2015-04-22 22:44:22 UTC 
selinux-policy-3.13.1-105.13.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.