This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 570481 - SELinux policy should include a Boolean for MSSQL
SELinux policy should include a Boolean for MSSQL
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.6
All Linux
low Severity medium
: rc
: ---
Assigned To: Daniel Walsh
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-03-04 08:52 EST by Chris Smowton
Modified: 2012-10-16 07:07 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Previously, the "httpd_can_network_connect_db" boolean did not allow the httpd service to connect to Microsoft SQL Server (MSSQL). This error has been fixed, the boolean has been modified, and the relevant policy code has been added to define mssql port.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-01-13 16:48:30 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Chris Smowton 2010-03-04 08:52:24 EST
The selinux boolean httpd_can_network_connect_db permits httpd to connect to MySQL and Postgre servers, but not MSSQL, making PHP+MSSQL something of a pain -- one can either hack around the problem by semanage'ing mysql_t to include the MSSQL port, or use the catch-all httpd_can_network_connect.

Either the network_connect_db flag should permit MSSQL connections too, or it should be split into can_network_connect_mysql, _postgre, _mssql, _oracle, etc which is at least clearer than "db" which suggests you've caught all common database types.

Reporting here on the advice of CentOS admins, having initially reported at http://bugs.centos.org/view.php?id=4226
Comment 1 Daniel Walsh 2010-03-04 10:00:53 EST
Seems reasonable.


Miroslav add

network_port(mssql, tcp,1433,s0, tcp,1434,s0, udp,1433,s0, udp,1434,s0)

And

tunable_policy(`httpd_can_network_connect_db',`
...
	corenet_tcp_connect_mssql_port(httpd_t)
	corenet_sendrecv_mssql_client_packets(httpd_t)
	corenet_tcp_connect_mssql_port(httpd_sys_script_t)
	corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
	corenet_tcp_connect_mssql_port(httpd_suexec_t)
	corenet_sendrecv_mssql_client_packets(httpd_suexec_t)

to apache.te
Comment 4 Miroslav Grepl 2010-07-22 05:21:39 EDT
Fixed in selinux-policy-2.4.6-281.el5.noarch
Comment 7 Jaromir Hradilek 2011-01-05 11:09:22 EST
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Previously, the "httpd_can_network_connect_db" boolean did not allow the httpd service to connect to Microsoft SQL Server (MSSQL). This error has been fixed, the boolean has been modified, and the relevant policy code has been added to define mssql port.
Comment 9 errata-xmlrpc 2011-01-13 16:48:30 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0026.html

Note You need to log in before you can comment on or make changes to this bug.