Adding two new booleans to httpd to tighten it's security.
exinor at exinor.net
Sat Dec 10 14:42:02 UTC 2005
Daniel J Walsh wrote:
> Currently policy allows httpd to connect to relay ports and to
> mysql/postgres ports.
> Adding these booleans
> * httpd_can_network_relay
> * httpd_can_network_connect_db
> And turning this feature off by default. This is going into tonights
> reference policy and into FC4 test release.
> If we had these turned off we would have prevented the last apache
> worm virus.
> This could cause problems for people who run httpd relays or have
> their apache databases talking to mysql and postgres databases over
> the network.
I'm sorry but I don't understand most of what you write. What is relay
ports? What worm are you refering to?
I find nothing googling and the latest worms I could find was a defect
in apache or openssl.
I'm conserned that this is going in without any discussion, or have I
I'm guessing most FC4 users having apache setup are using different kind
of applications in PHP, Python, Perl
etc. that they run. Forums, portals, Wikis, blogs etc. Most, if not all,
uses the network to connect to the local
email server and to store/retreive data from a database. Installing a
policy that breaks their services will be
very determinental to the trust of selinux. I suppose those services
will be left semi-functional after such an update
and that manual intervention is required to restore service. That would
be close to a DOS attack in my oppinion.
> You can turn the features back on by executing:
> setsebool -P httpd_can_network_relay=1
> setsebool -P httpd_can_network_connect_db=1
> Will consider adding this feature to RHEL in a future update.
Please elaborate, what problem is being solved here? What will the
consequences be for end users?
JID nicke at im.exinor.net
More information about the fedora-selinux-list