Adding two new booleans to httpd to tighten it's security.

Tue Dec 13 22:24:19 UTC 2005

Daniel J Walsh wrote:

> Robert L Cochran wrote:
>
>> Joe Orton wrote:
>>
>>> On Fri, Dec 09, 2005 at 03:58:14PM -0500, Daniel J Walsh wrote:
>>>  
>>>
>>>> Currently policy allows httpd to connect to relay ports and to 
>>>> mysql/postgres ports.
>>>>
>>>> Adding these booleans
>>>>   * httpd_can_network_relay
>>>>   * httpd_can_network_connect_db
>>>>
>>>> And turning this feature off by default.  This is going into 
>>>> tonights reference policy and into FC4 test release.
>>>>   
>>>
>>>
>>> Do you mean FC4 or FC5?  This should not go in an FC4 update 
>>> off-by-default since it will break working setups.  Make it 
>>> on-by-default if you want to ship this to FC4 users and 
>>> off-by-default with a big release note for FC5.
>>>
>>> What's the difference between httpd_can_network_relay and 
>>> httpd_can_network_connect?
>>>
>>> Do we still have the problem that httpd cannot reap idle children 
>>> properly when the latter is set?  That really really does need to 
>>> work by default.
>>>
>>> joe
>>>
>>> -- 
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>
>>>
>>>  
>>>
>> I'd like to completely agree with Joe. I'm beginning to have quite a 
>> lot invested in httpd, PHP and related database code and I don't want 
>> SELinux breaking what is there without a lot of warning. For new 
>> installs of FC4, I've been forced to turn off SELinux support for 
>> these applications. They simply don't work otherwise.
>>
>> Bob Cochran
>> Greenbelt. Maryland, USA
>>
>>
> Have your reported your problems here or in bugzilla?
>
Yes I reported an error in fedora-selinux-list with this subject line: 
"MySQL 5.0.4 Beta AVC Denied Messages". That was back in May, there was 
no reply to the post. I don't think I've put anything in bugzilla. I 
fixed the error by removing SELinux protection for the MySQL 
application. I believe, but need to confirm, that I also turned it off 
for php (I compile a lot of snapshots from snaps.php.net) on that 
machine, too. I have since upgraded the machine to Fedora Core 4.

I can't remember whether I set that machine up with SELinux in 
permissive or enforcing mode. But when I later installed MySQL 5 from 
rpm's downloaded from dev.mysql.com, SELinux broke the startup script by 
denying mysqld permission to start and thereby build the grant tables, 
etc. Until a better solution comes along, I don't want SELinux breaking 
my applications in this way. As a matter of fact, one enhancement I'd 
like to see is SELinux emitting a user-friendly message in the logs 
explaining how to turn on the functionality for an application it has 
just denied. Something like this:

To turn this functionality on, go to Desktop --> System Settings ---> 
Security Level --> SELinux and....[more precise instructions presented 
here].

It would also be nice to have preconfigured "application access levels" 
an administrator can turn on or off rapidly. For example, if the machine 
is intended to be used as a firewall, have an application access level 
that would configure SELinux to let the right kind of firewall services 
(iptables, for example) run correctly. This access level would be set up 
to prevent gcc, perl, ruby or any other compiler from working if 
installed. The idea is to introduce ease of use and adminstration to 
SELinux.

I'm not an SELinux expert; I'm just trying to administer my own machines 
on my own network and go about application development with a minimum of 
interference and pain from security type software. If I can't get 
SELinux to cooperate with me a little and provide a smooth solution for 
not breaking my applications, I'll simply turn it off.

Bob Cochran