Adding two new booleans to httpd to tighten it's security.
Daniel J Walsh
dwalsh at redhat.com
Tue Dec 13 04:14:35 UTC 2005
Joe Orton wrote:
> On Fri, Dec 09, 2005 at 03:58:14PM -0500, Daniel J Walsh wrote:
>> Currently policy allows httpd to connect to relay ports and to
>> mysql/postgres ports.
>> Adding these booleans
>> * httpd_can_network_relay
>> * httpd_can_network_connect_db
>> And turning this feature off by default. This is going into tonights
>> reference policy and into FC4 test release.
> Do you mean FC4 or FC5? This should not go in an FC4 update
> off-by-default since it will break working setups. Make it
> on-by-default if you want to ship this to FC4 users and off-by-default
> with a big release note for FC5.
Ok plan is to add this to FC4 With relay and database network connect
turned on by default.
> What's the difference between httpd_can_network_relay and
They are just more specific. They allow specific connections to relay
ports (http, ftp, gopher etc) and database ports (mysql and postgres).
> Do we still have the problem that httpd cannot reap idle children
> properly when the latter is set? That really really does need to work
> by default.
Do you have a bugzilla for this?
More information about the fedora-selinux-list