Bug 1262125 - RFE: a separate mysql boolean to allow the "feedback" function
RFE: a separate mysql boolean to allow the "feedback" function
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
23
Unspecified Unspecified
medium Severity low
: ---
: ---
Assigned To: Vit Mojzis
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-10 17:01 EDT by Göran Uddeborg
Modified: 2015-10-24 08:24 EDT (History)
6 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-152.fc23
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-10-24 08:24:37 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Göran Uddeborg 2015-09-10 17:01:35 EDT
If one enables the "feedback" feature in MariaDB (I did after listening to a speech by Michael "Monty" Widenius where he asked the audience to do that) one gets AVC:s about mysqld_t trying to name_connect to http_port_t.  This can be allowed by enabling the mysql_connect_any boolean.  But that allows it to connect to ANY port.  Typically, the MariaDB server does not need to connect to arbitrary port, while the "feedback" feature is a specific thing built in.

I would suggest to create a separate boolean to allow this.  I guess it would have to allow connection to ports 80, 81, etc. too since they share the http_port_t type.  But it would still be much more restricted than allowing ANY port.

Would it make sense?
Comment 1 Miroslav Grepl 2015-09-21 03:57:51 EDT
Yes, it makes sense.

Thank you for your report.
Comment 2 Vit Mojzis 2015-10-15 12:03:10 EDT
commit 74686ad7d87ac241bad3edb0d9620b2bf5daa9f7
Merge: 1717c93 a6dbe7f
Author: Lukas Vrabec <wrabcak@users.noreply.github.com>
Date:   Thu Oct 15 17:10:49 2015 +0200

    Merge pull request #51 from vmojzis/f23-contrib
    
    Add boolean allowing mysqld to connect to http port.  BZ #1262125

commit a6dbe7fd41c5c5efd301bf2c99b833d4fc1ec2cd
Author: Vit Mojzis <vmojzis@redhat.com>
Date:   Thu Oct 15 16:10:50 2015 +0200

    Add boolean allowing mysqld to connect to http port. #1262125
Comment 3 Göran Uddeborg 2015-10-15 14:04:25 EDT
I was flagged "needinfo", but I'm not sure what the question is.  What is it I should answer?  When -152.fc23 appears on koji I can try it out.  Is that what you meant?
Comment 4 Fedora Update System 2015-10-21 07:42:21 EDT
selinux-policy-3.13.1-152.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-456c6b6cb4
Comment 5 Vit Mojzis 2015-10-21 08:44:02 EDT
(In reply to Göran Uddeborg from comment #3)
Sorry, I did that by accident.
Comment 6 Göran Uddeborg 2015-10-21 17:00:33 EDT
In that case, you can consider it answered! :-)
Comment 7 Fedora Update System 2015-10-24 08:09:55 EDT
selinux-policy-3.13.1-152.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update selinux-policy'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-456c6b6cb4
Comment 8 Fedora Update System 2015-10-24 08:24:17 EDT
selinux-policy-3.13.1-152.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.