Bug 570481 - SELinux policy should include a Boolean for MSSQL
Summary: SELinux policy should include a Boolean for MSSQL
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.6
Hardware: All
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Daniel Walsh
QA Contact: Milos Malik
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-03-04 13:52 UTC by Chris Smowton
Modified: 2012-10-16 11:07 UTC (History)
5 users (show)

(edit)
Previously, the "httpd_can_network_connect_db" boolean did not allow the httpd service to connect to Microsoft SQL Server (MSSQL). This error has been fixed, the boolean has been modified, and the relevant policy code has been added to define mssql port.
Clone Of:
(edit)
Last Closed: 2011-01-13 21:48:30 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:0026 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2011-01-12 16:11:15 UTC

Description Chris Smowton 2010-03-04 13:52:24 UTC
The selinux boolean httpd_can_network_connect_db permits httpd to connect to MySQL and Postgre servers, but not MSSQL, making PHP+MSSQL something of a pain -- one can either hack around the problem by semanage'ing mysql_t to include the MSSQL port, or use the catch-all httpd_can_network_connect.

Either the network_connect_db flag should permit MSSQL connections too, or it should be split into can_network_connect_mysql, _postgre, _mssql, _oracle, etc which is at least clearer than "db" which suggests you've caught all common database types.

Reporting here on the advice of CentOS admins, having initially reported at http://bugs.centos.org/view.php?id=4226

Comment 1 Daniel Walsh 2010-03-04 15:00:53 UTC
Seems reasonable.


Miroslav add

network_port(mssql, tcp,1433,s0, tcp,1434,s0, udp,1433,s0, udp,1434,s0)

And

tunable_policy(`httpd_can_network_connect_db',`
...
	corenet_tcp_connect_mssql_port(httpd_t)
	corenet_sendrecv_mssql_client_packets(httpd_t)
	corenet_tcp_connect_mssql_port(httpd_sys_script_t)
	corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
	corenet_tcp_connect_mssql_port(httpd_suexec_t)
	corenet_sendrecv_mssql_client_packets(httpd_suexec_t)

to apache.te

Comment 4 Miroslav Grepl 2010-07-22 09:21:39 UTC
Fixed in selinux-policy-2.4.6-281.el5.noarch

Comment 7 Jaromir Hradilek 2011-01-05 16:09:22 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Previously, the "httpd_can_network_connect_db" boolean did not allow the httpd service to connect to Microsoft SQL Server (MSSQL). This error has been fixed, the boolean has been modified, and the relevant policy code has been added to define mssql port.

Comment 9 errata-xmlrpc 2011-01-13 21:48:30 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0026.html


Note You need to log in before you can comment on or make changes to this bug.