Re: Adding two new booleans to httpd to tighten it's security.

Robert L Cochran wrote:
> Joe Orton wrote:
>
> > On Fri, Dec 09, 2005 at 03:58:14PM -0500, Daniel J Walsh wrote:
> >  
> >
> > > Currently policy allows httpd to connect to relay ports and to 
> > > mysql/postgres ports.
> > > Adding these booleans
> > >   * httpd_can_network_relay
> > >   * httpd_can_network_connect_db
> > >
> > > And turning this feature off by default.  This is going into 
> > > tonights reference policy and into FC4 test release.
> > >   
> > Do you mean FC4 or FC5?  This should not go in an FC4 update 
> > off-by-default since it will break working setups.  Make it 
> > on-by-default if you want to ship this to FC4 users and 
> > off-by-default with a big release note for FC5.
> > What's the difference between httpd_can_network_relay and 
> > httpd_can_network_connect?
> > Do we still have the problem that httpd cannot reap idle children 
> > properly when the latter is set?  That really really does need to 
> > work by default.
> > joe
> >
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list@xxxxxxxxxx
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> >
> >
> >  
> I'd like to completely agree with Joe. I'm beginning to have quite a 
> lot invested in httpd, PHP and related database code and I don't want 
> SELinux breaking what is there without a lot of warning. For new 
> installs of FC4, I've been forced to turn off SELinux support for 
> these applications. They simply don't work otherwise.
> Bob Cochran
> Greenbelt. Maryland, USA
Have your reported your problems here or in bugzilla?

--