Bug 1262125 - RFE: a separate mysql boolean to allow the "feedback" function
Summary: RFE: a separate mysql boolean to allow the "feedback" function
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 23
Hardware: Unspecified
OS: Unspecified
medium
low
Target Milestone: ---
Assignee: Vit Mojzis
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-09-10 21:01 UTC by Göran Uddeborg
Modified: 2015-10-24 12:24 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.13.1-152.fc23
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-10-24 12:24:37 UTC
Type: Bug


Attachments (Terms of Use)

Description Göran Uddeborg 2015-09-10 21:01:35 UTC
If one enables the "feedback" feature in MariaDB (I did after listening to a speech by Michael "Monty" Widenius where he asked the audience to do that) one gets AVC:s about mysqld_t trying to name_connect to http_port_t.  This can be allowed by enabling the mysql_connect_any boolean.  But that allows it to connect to ANY port.  Typically, the MariaDB server does not need to connect to arbitrary port, while the "feedback" feature is a specific thing built in.

I would suggest to create a separate boolean to allow this.  I guess it would have to allow connection to ports 80, 81, etc. too since they share the http_port_t type.  But it would still be much more restricted than allowing ANY port.

Would it make sense?

Comment 1 Miroslav Grepl 2015-09-21 07:57:51 UTC
Yes, it makes sense.

Thank you for your report.

Comment 2 Vit Mojzis 2015-10-15 16:03:10 UTC
commit 74686ad7d87ac241bad3edb0d9620b2bf5daa9f7
Merge: 1717c93 a6dbe7f
Author: Lukas Vrabec <wrabcak@users.noreply.github.com>
Date:   Thu Oct 15 17:10:49 2015 +0200

    Merge pull request #51 from vmojzis/f23-contrib
    
    Add boolean allowing mysqld to connect to http port.  BZ #1262125

commit a6dbe7fd41c5c5efd301bf2c99b833d4fc1ec2cd
Author: Vit Mojzis <vmojzis@redhat.com>
Date:   Thu Oct 15 16:10:50 2015 +0200

    Add boolean allowing mysqld to connect to http port. #1262125

Comment 3 Göran Uddeborg 2015-10-15 18:04:25 UTC
I was flagged "needinfo", but I'm not sure what the question is.  What is it I should answer?  When -152.fc23 appears on koji I can try it out.  Is that what you meant?

Comment 4 Fedora Update System 2015-10-21 11:42:21 UTC
selinux-policy-3.13.1-152.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-456c6b6cb4

Comment 5 Vit Mojzis 2015-10-21 12:44:02 UTC
(In reply to Göran Uddeborg from comment #3)
Sorry, I did that by accident.

Comment 6 Göran Uddeborg 2015-10-21 21:00:33 UTC
In that case, you can consider it answered! :-)

Comment 7 Fedora Update System 2015-10-24 12:09:55 UTC
selinux-policy-3.13.1-152.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update selinux-policy'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-456c6b6cb4

Comment 8 Fedora Update System 2015-10-24 12:24:17 UTC
selinux-policy-3.13.1-152.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.