If one enables the "feedback" feature in MariaDB (I did after listening to a speech by Michael "Monty" Widenius where he asked the audience to do that) one gets AVC:s about mysqld_t trying to name_connect to http_port_t. This can be allowed by enabling the mysql_connect_any boolean. But that allows it to connect to ANY port. Typically, the MariaDB server does not need to connect to arbitrary port, while the "feedback" feature is a specific thing built in.
I would suggest to create a separate boolean to allow this. I guess it would have to allow connection to ports 80, 81, etc. too since they share the http_port_t type. But it would still be much more restricted than allowing ANY port.
Would it make sense?
Yes, it makes sense.
Thank you for your report.
Merge: 1717c93 a6dbe7f
Author: Lukas Vrabec <email@example.com>
Date: Thu Oct 15 17:10:49 2015 +0200
Merge pull request #51 from vmojzis/f23-contrib
Add boolean allowing mysqld to connect to http port. BZ #1262125
Author: Vit Mojzis <firstname.lastname@example.org>
Date: Thu Oct 15 16:10:50 2015 +0200
Add boolean allowing mysqld to connect to http port. #1262125
I was flagged "needinfo", but I'm not sure what the question is. What is it I should answer? When -152.fc23 appears on koji I can try it out. Is that what you meant?
selinux-policy-3.13.1-152.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-456c6b6cb4
(In reply to Göran Uddeborg from comment #3)
Sorry, I did that by accident.
In that case, you can consider it answered! :-)
selinux-policy-3.13.1-152.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update selinux-policy'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-456c6b6cb4
selinux-policy-3.13.1-152.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.