[Bug 164992] New: Mod_proxy does not work with SElinux default policy
Joe Orton
jorton at redhat.com
Tue Aug 16 12:13:11 UTC 2005
On Tue, Aug 16, 2005 at 12:43:56PM +0100, Paul Howarth wrote:
> Joe Orton wrote:
> >On Mon, Aug 15, 2005 at 11:59:52AM -0400, Daniel J Walsh wrote:
> >
> >>can_network(httpd_t)
> >>can_kerberos(httpd_t)
> >>can_resolve(httpd_t)
> >>can_ypbind(httpd_t)
> >>can_ldap(httpd_t)
> >>allow httpd_t { http_port_t http_cache_port_t }:tcp_socket name_bind;
> >># allow httpd to connect to mysql/posgresql
> >>allow httpd_t { postgresql_port_t mysqld_port_t }:tcp_socket name_connect;
> >># allow httpd to work as a relay
> >>allow httpd_t { gopher_port_t ftp_port_t http_port_t http_cache_port_t
> >>}:tcp_socket name_connect;
> >
> >
> >So this would allow connections to ports 80, 8080, etc etc?
> >
> >Yes, that looks sufficient, but it does seem to defeat the point of
> >having the boolean in the first place :)
>
> One example of something that's allowed by setting the boolean but not
> allowed with the above rules is for httpd_t to connect to an SMTP port.
> So a compromised httpd can't be used as a spam server.
Unless /usr/sbin/sendmail works, which it should.
But I don't think this is the right approach to be taking with this
issue.
I think it would be really useful to have a boolean which could be
turned on which prevents httpd from making any outgoing TCP connections
at all [1]. If I'm running a box with web server and database for your
average LAMP webapp, that would be a *really* useful security feature: I
can turn it on and significantly mitigate the impact of all PHP issues
du jour.
But with this watered down policy, it's not really useful at all. The
PHP exploit can go and wget some local kernel exploit code and we're all
doomed again.
joe
[1] (note that the *connections to local interfaces* are still needed
for the parent-connects-to-port-80 thing even with such a policy
enforced)
More information about the fedora-selinux-list
mailing list