Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 5 product line. The current stable release is 5.10. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 570481

Summary: SELinux policy should include a Boolean for MSSQL
Product: Red Hat Enterprise Linux 5 Reporter: Chris Smowton <cs448>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: low    
Version: 5.6CC: jrieden, ksrot, mgrepl, mmalik, ralph
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Previously, the "httpd_can_network_connect_db" boolean did not allow the httpd service to connect to Microsoft SQL Server (MSSQL). This error has been fixed, the boolean has been modified, and the relevant policy code has been added to define mssql port.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2011-01-13 21:48:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Chris Smowton 2010-03-04 13:52:24 UTC 
The selinux boolean httpd_can_network_connect_db permits httpd to connect to MySQL and Postgre servers, but not MSSQL, making PHP+MSSQL something of a pain -- one can either hack around the problem by semanage'ing mysql_t to include the MSSQL port, or use the catch-all httpd_can_network_connect.

Either the network_connect_db flag should permit MSSQL connections too, or it should be split into can_network_connect_mysql, _postgre, _mssql, _oracle, etc which is at least clearer than "db" which suggests you've caught all common database types.

Reporting here on the advice of CentOS admins, having initially reported at http://bugs.centos.org/view.php?id=4226
Comment 1 Daniel Walsh 2010-03-04 15:00:53 UTC 
Seems reasonable.


Miroslav add

network_port(mssql, tcp,1433,s0, tcp,1434,s0, udp,1433,s0, udp,1434,s0)

And

tunable_policy(`httpd_can_network_connect_db',`
...
	corenet_tcp_connect_mssql_port(httpd_t)
	corenet_sendrecv_mssql_client_packets(httpd_t)
	corenet_tcp_connect_mssql_port(httpd_sys_script_t)
	corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
	corenet_tcp_connect_mssql_port(httpd_suexec_t)
	corenet_sendrecv_mssql_client_packets(httpd_suexec_t)

to apache.te
Comment 4 Miroslav Grepl 2010-07-22 09:21:39 UTC 
Fixed in selinux-policy-2.4.6-281.el5.noarch
Comment 7 Jaromir Hradilek 2011-01-05 16:09:22 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Previously, the "httpd_can_network_connect_db" boolean did not allow the httpd service to connect to Microsoft SQL Server (MSSQL). This error has been fixed, the boolean has been modified, and the relevant policy code has been added to define mssql port.
Comment 9 errata-xmlrpc 2011-01-13 21:48:30 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0026.html