[Bug 164992] New: Mod_proxy does not work with SElinux default policy
Daniel J Walsh
dwalsh at redhat.com
Fri Aug 5 18:49:37 UTC 2005
Joe Orton wrote:
>On Wed, Aug 03, 2005 at 09:41:43AM -0400, Daniel J Walsh wrote:
>
>
>>Joe Orton wrote:
>>
>>
>>>Expected Results: I would expect the default policy to allow proxying and
>>>Message is not explicit and I had to search a long time to understand....
>>>
>>>Additional info:
>>>
>>>
>>>
>>>
>>>
>>We could allow apache to connect to apache ports by default, if that
>>would satisfy this.
>>
>>
>
>No, when mod_proxy is used as a generic HTTP proxy (a not entirely
>uncommon configuration) it needs to be able to connect to any remote
>port on any remote address.
>
>joe
>
>
Defaulting apache to can_network_connect_any=1 could allow a subverted
apache web server to be setup as a spammer, or a launch site for further
attacks. So I don't think this would be a good idea.
--
More information about the fedora-selinux-list
mailing list