Adding two new booleans to httpd to tighten it's security.

[Nicklas Norling]

Daniel J Walsh wrote:

>
> Currently policy allows httpd to connect to relay ports and to 
> mysql/postgres ports.
>
> Adding these booleans
>    * httpd_can_network_relay
>    * httpd_can_network_connect_db
>
> And turning this feature off by default.  This is going into tonights 
> reference policy and into FC4 test release.
> If we had these turned off we would have prevented the last apache 
> worm virus.
> This could cause problems for people who run httpd relays or have 
> their apache databases talking to mysql and postgres databases over 
> the network.
>
I'm sorry but I don't understand most of what you write. What is relay 
ports? What worm are you refering to?
I find nothing googling and the latest worms I could find was a defect 
in apache or openssl.
I'm conserned that this is going in without any discussion, or have I 
missed somerhing?
I'm guessing most FC4 users having apache setup are using different kind 
of applications in PHP, Python, Perl
etc. that they run. Forums, portals, Wikis, blogs etc. Most, if not all, 
uses the network to connect to the local
email server and to store/retreive data from a database. Installing a 
policy that breaks their services will be
very determinental to the trust of selinux. I suppose those services 
will be left semi-functional after such an update
and that manual intervention is required to restore service. That would 
be close to a DOS attack in my oppinion.

> You can turn the features back on by executing:
> setsebool -P httpd_can_network_relay=1
> or
> setsebool -P httpd_can_network_connect_db=1
>
> Will consider adding this feature to RHEL in a future update.
>
> Comments?

Please elaborate, what problem is being solved here? What will the 
consequences be for end users?

>
> Dan
>
/Nicke

-- 
JID nicke at im.exinor.net