669821 – SELinux policy should allow Oracle ports 1521, 2483, 2484

Bug 669821 - SELinux policy should allow Oracle ports 1521, 2483, 2484

Summary: SELinux policy should allow Oracle ports 1521, 2483, 2484

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	5.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-01-14 21:34 UTC by Rich Graves
Modified:	2011-05-19 14:32 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-05-19 14:32:09 UTC
Target Upstream Version:
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Rich Graves 2011-01-14 21:34:38 UTC

tcp 1521 is the legacy Oracle port. Newer installations use tcp 2483, which is denied by the latest SELinux policy. 2484 is the new reserved port for Oracle over SSL.

To Repro:

1) setsebool -P httpd_can_network_connect_db=1
2) Have a script attempt outbound connection on port 2483 and 2484

Suggested fix: Same as Bug 570481, add tcp 2483 and 2484 to the list.

Workaround: httpd_can_network_connect=1 "works," but too permissively.

Is there an upgrade-safe way for customers to customize the list of ports?

Comment 1 Daniel Walsh 2011-01-14 21:55:05 UTC

You can define these ports as mysql or postgresl ports.

semanage port -a -t mysqld_port_t -p tcp 1521
semanage port -a -t mysqld_port_t -p tcp 2483
semanage port -a -t mysqld_port_t -p tcp 2484

Note You need to log in before you can comment on or make changes to this bug.