[Bug 164992] New: Mod_proxy does not work with SElinux default policy

Joe Orton jorton at redhat.com
Tue Aug 16 11:39:44 UTC 2005


On Mon, Aug 15, 2005 at 11:59:52AM -0400, Daniel J Walsh wrote:
> can_network(httpd_t)
> can_kerberos(httpd_t)
> can_resolve(httpd_t)
> can_ypbind(httpd_t)
> can_ldap(httpd_t)
> allow httpd_t { http_port_t http_cache_port_t }:tcp_socket name_bind;
> # allow httpd to connect to mysql/posgresql
> allow httpd_t { postgresql_port_t mysqld_port_t }:tcp_socket name_connect;
> # allow httpd to work as a relay
> allow httpd_t { gopher_port_t ftp_port_t http_port_t http_cache_port_t 
> }:tcp_socket name_connect;

So this would allow connections to ports 80, 8080, etc etc?

Yes, that looks sufficient, but it does seem to defeat the point of 
having the boolean in the first place :)

joe




More information about the fedora-selinux-list mailing list