[mod_proxy_html] By default, selinux-policy-targeted doesn't allow httpd to open outbound sockets. These would be, of
Philip Prindeville
philipp at fedoraproject.org
Sat Jan 28 21:36:14 UTC 2012
commit 24e06f6f3df12871d7b633c1629e14e9441c70f0
Author: Philip A. Prindeville <philipp at redfish-solutions.com>
Date: Sat Jan 28 14:33:56 2012 -0700
By default, selinux-policy-targeted doesn't allow httpd to open
outbound sockets. These would be, of course, required to have
proxy service offered by mod_proxy_html.
Add instructions for admins pointing out the manual steps required
to enable this for SElinux.
README.selinux | 10 ++++++++++
mod_proxy_html.spec | 11 +++++++++--
2 files changed, 19 insertions(+), 2 deletions(-)
---
diff --git a/README.selinux b/README.selinux
new file mode 100644
index 0000000..082983d
--- /dev/null
+++ b/README.selinux
@@ -0,0 +1,10 @@
+If you're running with selinux enforcing, httpd will not be able
+to initiate outbound connections by default (since it could thereby
+be used as a springboard for attacks).
+
+To enable connections to other http server instances, use:
+
+# setsebool httpd_can_network_relay 1
+
+of course, this presumes that your rewriting rules are well-written
+and sufficiently restrictive.
diff --git a/mod_proxy_html.spec b/mod_proxy_html.spec
index 4708944..eacfcec 100644
--- a/mod_proxy_html.spec
+++ b/mod_proxy_html.spec
@@ -1,11 +1,12 @@
Summary: Output filter to rewrite HTML links in a proxy situation
Name: mod_proxy_html
Version: 3.1.2
-Release: 8%{?dist}
+Release: 9%{?dist}
License: GPLv2
Group: System Environment/Libraries
URL: http://apache.webthing.com/mod_proxy_html/
Source: http://apache.webthing.com/mod_proxy_html/mod_proxy_html-%{version}.tar.bz2
+Source1: README.selinux
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
Requires: httpd-mmn = %(cat %{_includedir}/httpd/.mmn || echo missing)
BuildRequires: libxml2-devel httpd-devel
@@ -30,7 +31,7 @@ an essential component of a reverse proxy.
%install
%{__rm} -rf %{buildroot}
-%{__mkdir_p} %{buildroot}/%{modulesdir}
+%{__mkdir_p} %{buildroot}/%{modulesdir} %{buildroot}/%{_docdir}/%{name}-%{version}
%{_sbindir}/apxs -i -S LIBEXECDIR=%{buildroot}/%{modulesdir} -n mod_proxy_html mod_proxy_html.la
%{_sbindir}/apxs -i -S LIBEXECDIR=%{buildroot}/%{modulesdir} -n mod_xml2enc mod_xml2enc.la
install -m 644 -D proxy_html.conf %{buildroot}/%{confdir}.d/proxy_html.conf
@@ -43,6 +44,8 @@ install -m 644 -D proxy_html.conf %{buildroot}/%{confdir}.d/proxy_html.conf
%endif
%{buildroot}/%{confdir}.d/proxy_html.conf
+install -m 444 -D %{SOURCE1} %{buildroot}/%{_docdir}/%{name}-%{version}/
+
%clean
%{__rm} -rf %{buildroot}
@@ -54,9 +57,13 @@ install -m 644 -D proxy_html.conf %{buildroot}/%{confdir}.d/proxy_html.conf
%{modulesdir}/mod_xml2enc.so
%config(noreplace) %lang(en) %{confdir}.d/proxy_html.conf
%doc COPYING README
+%doc %{_docdir}/%{name}-%{version}/README.selinux
%changelog
+* Sat Jan 28 2012 Philip Prindeville <philipp at fedoraproject.org> - 3.1.2-9
+- Add README about settings required for running under selinux.
+
* Fri Jan 13 2012 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 3.1.2-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
More information about the scm-commits
mailing list