Adding two new booleans to httpd to tighten it's security.

Daniel J Walsh dwalsh at
Tue Dec 13 04:14:35 UTC 2005

Joe Orton wrote:
> On Fri, Dec 09, 2005 at 03:58:14PM -0500, Daniel J Walsh wrote:
>> Currently policy allows httpd to connect to relay ports and to 
>> mysql/postgres ports.
>> Adding these booleans
>>    * httpd_can_network_relay
>>    * httpd_can_network_connect_db
>> And turning this feature off by default.  This is going into tonights 
>> reference policy and into FC4 test release.
> Do you mean FC4 or FC5?  This should not go in an FC4 update 
> off-by-default since it will break working setups.  Make it 
> on-by-default if you want to ship this to FC4 users and off-by-default 
> with a big release note for FC5.
Ok plan is to add this to FC4 With relay and database network connect 
turned on by default.
> What's the difference between httpd_can_network_relay and 
> httpd_can_network_connect?
They are just more specific.  They allow specific connections to relay 
ports (http, ftp, gopher etc) and database ports (mysql and postgres).
> Do we still have the problem that httpd cannot reap idle children 
> properly when the latter is set?  That really really does need to work 
> by default.
Do you have a bugzilla for this?
> joe


More information about the fedora-selinux-list mailing list