rpms / ejabberd

Clone
Source Code
GIT

#2 Add SELinux rules for PostgreSQL and MySQL connections
Closed 6 years ago by jcline. Opened 6 years ago by jcline.
rpms/ jcline/ejabberd master  into  master

file modified
+4 
@@ -40,6 +40,10 @@ 
 

  corenet_tcp_connect_epmd_port(ejabberd_t)
 

  corenet_tcp_connect_generic_port(ejabberd_t)
 

  corenet_tcp_connect_jabber_interserver_port(ejabberd_t)
 

+ corenet_tcp_connect_postgresql_port(ejabberd_t)
 

+ postgresql_stream_connect(ejabberd_t)
 

+ corenet_tcp_connect_mysqld_port(ejabberd_t)
 

+ mysql_stream_connect(ejabberd_t)
 

  

  corenet_udp_bind_generic_node(ejabberd_t)

It's possible to use SQL databases like PostgreSQL and MySQL instead of
Mnesia for storage in ejabberd. This adds SELinux rules to connect to
those databases.

Note: I tested the PostgreSQL rule for TCP connections, but I haven't tried the MySQL rules.

LGTM

BTW, if you want we can cherry pick this back to f28 and f27. I've got an f28 18.03 update we can just add a new ejabberd build to if you want:

https://bodhi.fedoraproject.org/updates/FEDORA-2018-df7e7b9d3a

For F27, I haven't yet gotten the 18.03 build made yet because I'm waiting on https://pagure.io/releng/fedora-scm-requests/issue/5532 to get done, so for that one feel free to just cherry pick it into place and I'll pick it up whenever I get that f27 branch.

Oh, and for f26… you will have to send a PR to the Fedora policy, get them to review it, merge it, and make a new RPM with it. I found that process could take months which is why I split it out for F27. For F26:

https://github.com/fedora-selinux/selinux-policy-contrib/blob/f26/ejabberd.te

I just noticed that they still haven't even merged my PRs to remove selinux from f27+:100:

https://github.com/fedora-selinux/selinux-policy-contrib/pull/38
https://github.com/fedora-selinux/selinux-policy-contrib/pull/39

I should poke them about that.

Okay, I merged this and cherry-picked it back through f27. Given F26 will likely be EOL by the time a PR got accepted I'm not going to bother unless you really want that.

Pull-Request has been closed by jcline
6 years ago

@jcline hahah yeah I've found it's extremely difficult to get selinux PRs merged, which is unfortunate.
Changes Summary 1
+4 -0
file changed
ejabberd.te
Powered by Pagure 5.14.1
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.