Adding two new booleans to httpd to tighten it's security.

Daniel J Walsh dwalsh at
Sat Dec 10 17:54:09 UTC 2005

Nicolas Mailhot wrote:
> Nicklas Norling wrote:
>> Daniel J Walsh wrote:
>>> Currently policy allows httpd to connect to relay ports and to
>>> mysql/postgres ports.
>>> Adding these booleans
>>>    * httpd_can_network_relay
>>>    * httpd_can_network_connect_db
>>> And turning this feature off by default.  This is going into tonights
>>> reference policy and into FC4 test release.
>>> If we had these turned off we would have prevented the last apache
>>> worm virus.
> I'd really appreciate if more effort was expanded in fixing existing
> AVCs rather than adding new blocking rules.
Which avc's are you talking about.  We have been working hard to fix all 
avc's when we can. 
> The current ruleset is already strong enough a lot of people just turn
> off selinux, perfect security isn't much use if no one enables it.
Most people turned off firewall support in the beginning also.  These 
rules should not effect 90 % of apache SELinux users
and will further secure those same users.
> I'd rather aim for imperfect security some users actually use.
We are trying to work to a happy medium of security with as little pain 
as possible. 


More information about the fedora-selinux-list mailing list