fedora-selinux-list Digest, Vol 18, Issue 9
Daniel J Walsh
dwalsh at redhat.com
Mon Aug 15 15:30:27 UTC 2005
Joe Orton wrote:
>On Tue, Aug 09, 2005 at 10:35:54AM -0400, John Griffiths wrote:
>
>
>> Joe Orton wrote:
>> The above all represent important functionality.
>>
>>
>> Agreed.
>>
>> I'm not convinced that the security vs usability tradeoff is being won
>> in favour of enabling the boolean by default.
>>
>>
>> I don't quite understand this sentence. Are you saying the boolean should
>> be enabled by default? We certainly need the functionality. When security
>> gets in the way of getting the job done, then we have lost the war.
>>
>>
>
>Sorry, I inverted the logic! I'm arguing that the
>httpd_can_network_connect boolean should be enabled by default, yes.
>
>joe
>
>--
>fedora-selinux-list mailing list
>fedora-selinux-list at redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
How about I add
# allow httpd to connect to mysql/posgresql databases
allow httpd_t { postgresql_port_t mysqld_port_t }:tcp_socket name_connect;
can_ldap(httpd_t)
By default and leave the boolean off?
Dan
--
More information about the fedora-selinux-list
mailing list