[Bug 164992] New: Mod_proxy does not work with SElinux default policy
Paul Howarth
paul at city-fan.org
Tue Aug 16 11:43:56 UTC 2005
Joe Orton wrote:
> On Mon, Aug 15, 2005 at 11:59:52AM -0400, Daniel J Walsh wrote:
>
>>can_network(httpd_t)
>>can_kerberos(httpd_t)
>>can_resolve(httpd_t)
>>can_ypbind(httpd_t)
>>can_ldap(httpd_t)
>>allow httpd_t { http_port_t http_cache_port_t }:tcp_socket name_bind;
>># allow httpd to connect to mysql/posgresql
>>allow httpd_t { postgresql_port_t mysqld_port_t }:tcp_socket name_connect;
>># allow httpd to work as a relay
>>allow httpd_t { gopher_port_t ftp_port_t http_port_t http_cache_port_t
>>}:tcp_socket name_connect;
>
>
> So this would allow connections to ports 80, 8080, etc etc?
>
> Yes, that looks sufficient, but it does seem to defeat the point of
> having the boolean in the first place :)
One example of something that's allowed by setting the boolean but not
allowed with the above rules is for httpd_t to connect to an SMTP port.
So a compromised httpd can't be used as a spam server.
Paul.
More information about the fedora-selinux-list
mailing list