Adding two new booleans to httpd to tighten it's security.
Robert L Cochran
cochranb at speakeasy.net
Tue Dec 13 01:29:23 UTC 2005
Joe Orton wrote:
>On Fri, Dec 09, 2005 at 03:58:14PM -0500, Daniel J Walsh wrote:
>
>
>>Currently policy allows httpd to connect to relay ports and to
>>mysql/postgres ports.
>>
>>Adding these booleans
>> * httpd_can_network_relay
>> * httpd_can_network_connect_db
>>
>>And turning this feature off by default. This is going into tonights
>>reference policy and into FC4 test release.
>>
>>
>
>Do you mean FC4 or FC5? This should not go in an FC4 update
>off-by-default since it will break working setups. Make it
>on-by-default if you want to ship this to FC4 users and off-by-default
>with a big release note for FC5.
>
>What's the difference between httpd_can_network_relay and
>httpd_can_network_connect?
>
>Do we still have the problem that httpd cannot reap idle children
>properly when the latter is set? That really really does need to work
>by default.
>
>joe
>
>--
>fedora-selinux-list mailing list
>fedora-selinux-list at redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
>
>
I'd like to completely agree with Joe. I'm beginning to have quite a lot
invested in httpd, PHP and related database code and I don't want
SELinux breaking what is there without a lot of warning. For new
installs of FC4, I've been forced to turn off SELinux support for these
applications. They simply don't work otherwise.
Bob Cochran
Greenbelt. Maryland, USA
More information about the fedora-selinux-list
mailing list