[Bug 164992] New: Mod_proxy does not work with SElinux default policy

Joe Orton jorton at redhat.com
Tue Aug 16 12:13:11 UTC 2005

On Tue, Aug 16, 2005 at 12:43:56PM +0100, Paul Howarth wrote:
> Joe Orton wrote:
> >On Mon, Aug 15, 2005 at 11:59:52AM -0400, Daniel J Walsh wrote:
> >
> >>can_network(httpd_t)
> >>can_kerberos(httpd_t)
> >>can_resolve(httpd_t)
> >>can_ypbind(httpd_t)
> >>can_ldap(httpd_t)
> >>allow httpd_t { http_port_t http_cache_port_t }:tcp_socket name_bind;
> >># allow httpd to connect to mysql/posgresql
> >>allow httpd_t { postgresql_port_t mysqld_port_t }:tcp_socket name_connect;
> >># allow httpd to work as a relay
> >>allow httpd_t { gopher_port_t ftp_port_t http_port_t http_cache_port_t 
> >>}:tcp_socket name_connect;
> >
> >
> >So this would allow connections to ports 80, 8080, etc etc?
> >
> >Yes, that looks sufficient, but it does seem to defeat the point of 
> >having the boolean in the first place :)
> One example of something that's allowed by setting the boolean but not 
> allowed with the above rules is for httpd_t to connect to an SMTP port. 
> So a compromised httpd can't be used as a spam server.

Unless /usr/sbin/sendmail works, which it should.

But I don't think this is the right approach to be taking with this 

I think it would be really useful to have a boolean which could be 
turned on which prevents httpd from making any outgoing TCP connections 
at all [1]. If I'm running a box with web server and database for your 
average LAMP webapp, that would be a *really* useful security feature: I 
can turn it on and significantly mitigate the impact of all PHP issues 
du jour.

But with this watered down policy, it's not really useful at all.  The 
PHP exploit can go and wget some local kernel exploit code and we're all 
doomed again.


[1] (note that the *connections to local interfaces* are still needed 
for the parent-connects-to-port-80 thing even with such a policy 

More information about the fedora-selinux-list mailing list