Adding two new booleans to httpd to tighten it's security.
Daniel J Walsh
dwalsh at redhat.com
Sat Dec 10 17:54:09 UTC 2005
Nicolas Mailhot wrote:
> Nicklas Norling wrote:
>> Daniel J Walsh wrote:
>>> Currently policy allows httpd to connect to relay ports and to
>>> mysql/postgres ports.
>>> Adding these booleans
>>> * httpd_can_network_relay
>>> * httpd_can_network_connect_db
>>> And turning this feature off by default. This is going into tonights
>>> reference policy and into FC4 test release.
>>> If we had these turned off we would have prevented the last apache
>>> worm virus.
> I'd really appreciate if more effort was expanded in fixing existing
> AVCs rather than adding new blocking rules.
Which avc's are you talking about. We have been working hard to fix all
avc's when we can.
> The current ruleset is already strong enough a lot of people just turn
> off selinux, perfect security isn't much use if no one enables it.
Most people turned off firewall support in the beginning also. These
rules should not effect 90 % of apache SELinux users
and will further secure those same users.
> I'd rather aim for imperfect security some users actually use.
We are trying to work to a happy medium of security with as little pain
More information about the fedora-selinux-list