Joe Orton wrote:
> On Fri, Dec 09, 2005 at 03:58:14PM -0500, Daniel J Walsh wrote:
>
>
>> Currently policy allows httpd to connect to relay ports and to
>> mysql/postgres ports.
>>
>> Adding these booleans
>> * httpd_can_network_relay
>> * httpd_can_network_connect_db
>>
>> And turning this feature off by default. This is going into
>> tonights reference policy and into FC4 test release.
>>
>
> Do you mean FC4 or FC5? This should not go in an FC4 update
> off-by-default since it will break working setups. Make it
> on-by-default if you want to ship this to FC4 users and
> off-by-default with a big release note for FC5.
>
> What's the difference between httpd_can_network_relay and
> httpd_can_network_connect?
>
> Do we still have the problem that httpd cannot reap idle children
> properly when the latter is set? That really really does need to
> work by default.
>
> joe
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list(a)redhat.com
>
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
>
>
I'd like to completely agree with Joe. I'm beginning to have quite a
lot invested in httpd, PHP and related database code and I don't want
SELinux breaking what is there without a lot of warning. For new
installs of FC4, I've been forced to turn off SELinux support for
these applications. They simply don't work otherwise.
Bob Cochran
Greenbelt. Maryland, USA