Bug 669821 - SELinux policy should allow Oracle ports 1521, 2483, 2484
SELinux policy should allow Oracle ports 1521, 2483, 2484
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.6
Unspecified Unspecified
low Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2011-01-14 16:34 EST by Rich Graves
Modified: 2011-05-19 10:32 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-05-19 10:32:09 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Rich Graves 2011-01-14 16:34:38 EST
tcp 1521 is the legacy Oracle port. Newer installations use tcp 2483, which is denied by the latest SELinux policy. 2484 is the new reserved port for Oracle over SSL.

To Repro:

1) setsebool -P httpd_can_network_connect_db=1
2) Have a script attempt outbound connection on port 2483 and 2484

Suggested fix: Same as Bug 570481, add tcp 2483 and 2484 to the list.

Workaround: httpd_can_network_connect=1 "works," but too permissively.

Is there an upgrade-safe way for customers to customize the list of ports?
Comment 1 Daniel Walsh 2011-01-14 16:55:05 EST
You can define these ports as mysql or postgresl ports.

semanage port -a -t mysqld_port_t -p tcp 1521
semanage port -a -t mysqld_port_t -p tcp 2483
semanage port -a -t mysqld_port_t -p tcp 2484

Note You need to log in before you can comment on or make changes to this bug.