Adding two new booleans to httpd to tighten it's security.

Daniel J Walsh dwalsh at
Fri Dec 9 20:58:14 UTC 2005

Currently policy allows httpd to connect to relay ports and to 
mysql/postgres ports.

Adding these booleans
    * httpd_can_network_relay
    * httpd_can_network_connect_db

And turning this feature off by default.  This is going into tonights 
reference policy and into FC4 test release.
If we had these turned off we would have prevented the last apache worm 

This could cause problems for people who run httpd relays or have their 
apache databases talking to mysql and postgres databases over the network.

You can turn the features back on by executing:
setsebool -P httpd_can_network_relay=1
setsebool -P httpd_can_network_connect_db=1

Will consider adding this feature to RHEL in a future update.




More information about the fedora-selinux-list mailing list