On Tue, Aug 09, 2005 at 10:35:54AM -0400, John Griffiths wrote:
> Joe Orton wrote:
> The above all represent important functionality.
>
>
> Agreed.
>
> I'm not convinced that the security vs usability tradeoff is being won
> in favour of enabling the boolean by default.
>
>
> I don't quite understand this sentence. Are you saying the boolean should
> be enabled by default? We certainly need the functionality. When security
> gets in the way of getting the job done, then we have lost the war.
>
>
Sorry, I inverted the logic! I'm arguing that the
httpd_can_network_connect boolean should be enabled by default, yes.
joe
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
How about I add
# allow httpd to connect to mysql/posgresql databases
allow httpd_t { postgresql_port_t mysqld_port_t }:tcp_socket name_connect;
can_ldap(httpd_t)
By default and leave the boolean off?
Dan
--