[Bug 164992] New: Mod_proxy does not work with SElinux default policy

Joe Orton jorton at redhat.com
Wed Aug 10 20:21:48 UTC 2005

On Mon, Aug 08, 2005 at 04:40:42PM +0100, Joe Orton wrote:
> On Fri, Aug 05, 2005 at 02:49:37PM -0400, Daniel J Walsh wrote:
> > Joe Orton wrote:
> > >No, when mod_proxy is used as a generic HTTP proxy (a not entirely 
> > >uncommon configuration) it needs to be able to connect to any remote 
> > >port on any remote address.
> > > 
> > >
> > Defaulting apache to can_network_connect_any=1 could allow a subverted 
> > apache web server to be setup as a spammer, or a launch site for further 
> > attacks.  So I don't think this would be a good idea.
> Currently the following is known to be broken in the default 
> configuration:

Another one, https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=165592

4) web applications which connect to remote LDAP databases, and 
similarly, I guess, the Apache LDAP-based authentication module, if 
configured to use remote LDAP databases.

More information about the fedora-selinux-list mailing list