Re: fedora-selinux-list Digest, Vol 18, Issue 9: msg#00045

fedora-selinux-list-request@xxxxxxxxxx wrote:

Subject:

Re: [Bug 164992] New: Mod_proxy does not work with SElinux default policy

From:

Joe Orton <jorton@xxxxxxxxxx>

Date:

Mon, 8 Aug 2005 16:40:42 +0100

To:

Daniel J Walsh <dwalsh@xxxxxxxxxx>

To:

Daniel J Walsh <dwalsh@xxxxxxxxxx>

CC:

fedora-selinux-list@xxxxxxxxxx

On Fri, Aug 05, 2005 at 02:49:37PM -0400, Daniel J Walsh wrote:

Joe Orton wrote:

No, when mod_proxy is used as a generic HTTP proxy (a not entirely 
uncommon configuration) it needs to be able to connect to any remote 
port on any remote address.

Defaulting apache to can_network_connect_any=1 could allow a subverted 
apache web server to be setup as a spammer, or a launch site for further 
attacks.  So I don't think this would be a good idea.


Currently the following is known to be broken in the default 
configuration:

1) web applications which connect to remote {my,postgre}SQL databases
(and similarly, I guess, the Apache SQL-based-authentication modules)

This answers my previous question about why a phpBB forum could not connect to the postgreSQL database if SElinux is enforcing.

2) all mod_proxy configurations (reverse proxy, forward proxy)

3) the parent connect()-to-listening-port "reap idle children" 
interface, which has the impact:

 a) one log message written to error_log per second when the server
acquiesces after a period of above-normal load and tries to reap idle 
children

 b) graceful restart does not work properly

The above all represent important functionality.

Agreed.

I'm not convinced that the security vs usability tradeoff is being won 
in favour of enabling the boolean by default.

I don't quite understand this sentence. Are you saying the boolean should be enabled by default? We certainly need the functionality. When security gets in the way of getting the job done, then we have lost the war.

Regards,
John

Regards,

joe


--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list

<Prev in Thread]	Current Thread	[Next in Thread>

<Prev in Thread]

Current Thread

[Next in Thread>

Previous by Date:	vsftpd non-anonymous chrooting, Ted Rule
Next by Date:	Re: fedora-selinux-list Digest, Vol 18, Issue 9, Joe Orton
Previous by Thread:	vsftpd non-anonymous chrooting, Ted Rule
Next by Thread:	Re: fedora-selinux-list Digest, Vol 18, Issue 9, Joe Orton
Indexes:	[Date] [Thread] [Top] [All Lists]

Previous by Date:

vsftpd non-anonymous chrooting, Ted Rule

Next by Date:

Re: fedora-selinux-list Digest, Vol 18, Issue 9, Joe Orton

Previous by Thread:

vsftpd non-anonymous chrooting, Ted Rule

Next by Thread:

Re: fedora-selinux-list Digest, Vol 18, Issue 9, Joe Orton

Indexes:

[Date] [Thread] [Top] [All Lists]

Free Magazines

Systems Management News, the newspaper for IT systems administration and data center managers! Each issue of Systems Management News is chock-full of news and analysis to help you understand what's happening in your field.
subscribe

The Enterprise Newsweekly eWeek is the essential technology information source for builders of e-business.
subscribe

Oracle Magazine Oracle Magazine contains technology strategy articles, sample code, tips, Oracle and partner news, how to articles for developers and DBAs, and more. Oracle (NASDAQ: ORCL) is the world's largest enterprise software company.
subscribe

Total Telecom Total Telecom is "The Economist of the communications industry".
subscribe