Description of problem: Mongodb port of tcp/27017 does not seem to included in httpd_can_network_connect_db. Since Mongo is part of the distribution. The policy should be updated so that the sebool includes the port. Version-Release number of selected component (if applicable): selinux-policy-targeted.noarch 3.13.1-105.9.fc21 selinux-policy-targeted.noarch 3.12.1-197.fc20 How reproducible: Install MongoDB, and Httpd, use a script run by httpd to connect to mongoldb Steps to Reproduce: 1. 2. 3. Actual results: connection failure Expected results: connection allowed/denied based the setting of httpd_can_network_connect_db Additional info:
Listing of http_can_network_connect_db from a fresh installed FC21 machine. [root@dhcp89-089-026 ~]# yum list installed | grep -i policy policycoreutils.x86_64 2.3-7.1.fc21 @koji-override-0/$releasever selinux-policy.noarch 3.13.1-105.9.fc21 @updates selinux-policy-targeted.noarch 3.13.1-105.9.fc21 @updates [root@dhcp89-089-026 ~]# sesearch -A -s httpd_t -b httpd_can_network_connect_db -p name_connect Found 5 semantic av rules: allow httpd_t oracle_port_t : tcp_socket name_connect ; allow httpd_t postgresql_port_t : tcp_socket { recv_msg send_msg name_connect } ; allow httpd_t mssql_port_t : tcp_socket name_connect ; allow httpd_t gds_db_port_t : tcp_socket name_connect ; allow httpd_t mysqld_port_t : tcp_socket { recv_msg send_msg name_connect } ; [root@dhcp89-089-026 ~]#
commit 97db01b1b05323a83b8d8b15b4a8eea57bd1b167 Author: Lukas Vrabec <lvrabec> Date: Tue Apr 7 15:54:48 2015 +0200 Add mongodb port to httpd_can_network_connect_db interface. BZ(1209180)
Can this change be back ported to fc20 as well?
Sure, commit 90179ad6fee82a00f25bfceecd8ebdfd8f8e2077 Author: Lukas Vrabec <lvrabec> Date: Tue Apr 7 15:54:48 2015 +0200 Add mongodb port to httpd_can_network_connect_db interface. BZ(1209180)
selinux-policy-3.13.1-105.13.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.13.fc21
Package selinux-policy-3.13.1-105.13.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-105.13.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-6316/selinux-policy-3.13.1-105.13.fc21 then log in and leave karma (feedback).
selinux-policy-3.13.1-105.13.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.