Adding two new booleans to httpd to tighten it's security.
Nicolas Mailhot
nicolas.mailhot at laposte.net
Sat Dec 10 16:47:07 UTC 2005
Nicklas Norling wrote:
> Daniel J Walsh wrote:
>
>>
>> Currently policy allows httpd to connect to relay ports and to
>> mysql/postgres ports.
>>
>> Adding these booleans
>> * httpd_can_network_relay
>> * httpd_can_network_connect_db
>>
>> And turning this feature off by default. This is going into tonights
>> reference policy and into FC4 test release.
>> If we had these turned off we would have prevented the last apache
>> worm virus.
I'd really appreciate if more effort was expanded in fixing existing
AVCs rather than adding new blocking rules.
The current ruleset is already strong enough a lot of people just turn
off selinux, perfect security isn't much use if no one enables it.
I'd rather aim for imperfect security some users actually use.
--
Nicolas Mailhot
More information about the fedora-selinux-list
mailing list