Send fedora-selinux-list mailing list submissions to
I'm not convinced that the security vs usability tradeoff is being won
in favour of enabling the boolean by default.
I don't quite understand this sentence. Are you saying the boolean should
be enabled by default? We certainly need the functionality. When security
gets in the way of getting the job done, then we have lost the war.
Sorry, I inverted the logic! I'm arguing that the
httpd_can_network_connect boolean should be enabled by default, yes.
joe
Thanks for clearing that up. I think possible there could be more
granularity, but the need for php and other CGI languages to extract
data from a database and present it as web pages and the ability to act
as proxys are pretty basic to the use of Linux as servers. Of course
the issues of runaway log messages and graceful restart are important
too.