Adding two new booleans to httpd to tighten it's security.
Daniel J Walsh
dwalsh at redhat.com
Tue Dec 13 04:15:50 UTC 2005
Robert L Cochran wrote:
> Joe Orton wrote:
>
>> On Fri, Dec 09, 2005 at 03:58:14PM -0500, Daniel J Walsh wrote:
>>
>>
>>> Currently policy allows httpd to connect to relay ports and to
>>> mysql/postgres ports.
>>>
>>> Adding these booleans
>>> * httpd_can_network_relay
>>> * httpd_can_network_connect_db
>>>
>>> And turning this feature off by default. This is going into
>>> tonights reference policy and into FC4 test release.
>>>
>>
>> Do you mean FC4 or FC5? This should not go in an FC4 update
>> off-by-default since it will break working setups. Make it
>> on-by-default if you want to ship this to FC4 users and
>> off-by-default with a big release note for FC5.
>>
>> What's the difference between httpd_can_network_relay and
>> httpd_can_network_connect?
>>
>> Do we still have the problem that httpd cannot reap idle children
>> properly when the latter is set? That really really does need to
>> work by default.
>>
>> joe
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
>>
>>
>>
> I'd like to completely agree with Joe. I'm beginning to have quite a
> lot invested in httpd, PHP and related database code and I don't want
> SELinux breaking what is there without a lot of warning. For new
> installs of FC4, I've been forced to turn off SELinux support for
> these applications. They simply don't work otherwise.
>
> Bob Cochran
> Greenbelt. Maryland, USA
>
>
Have your reported your problems here or in bugzilla?
--
More information about the fedora-selinux-list
mailing list