[Bug 164992] New: Mod_proxy does not work with SElinux default policy

Joe Orton jorton at redhat.com
Mon Aug 8 15:40:42 UTC 2005


On Fri, Aug 05, 2005 at 02:49:37PM -0400, Daniel J Walsh wrote:
> Joe Orton wrote:
> >No, when mod_proxy is used as a generic HTTP proxy (a not entirely 
> >uncommon configuration) it needs to be able to connect to any remote 
> >port on any remote address.
> > 
> >
> Defaulting apache to can_network_connect_any=1 could allow a subverted 
> apache web server to be setup as a spammer, or a launch site for further 
> attacks.  So I don't think this would be a good idea.

Currently the following is known to be broken in the default 
configuration:

1) web applications which connect to remote {my,postgre}SQL databases
(and similarly, I guess, the Apache SQL-based-authentication modules)

2) all mod_proxy configurations (reverse proxy, forward proxy)

3) the parent connect()-to-listening-port "reap idle children" 
interface, which has the impact:

 a) one log message written to error_log per second when the server
acquiesces after a period of above-normal load and tries to reap idle 
children

 b) graceful restart does not work properly

The above all represent important functionality. 

I'm not convinced that the security vs usability tradeoff is being won 
in favour of enabling the boolean by default.

Regards,

joe




More information about the fedora-selinux-list mailing list