[mod_proxy_html] By default, selinux-policy-targeted doesn't allow httpd to open outbound sockets. These would be, of

Philip Prindeville philipp at fedoraproject.org
Sat Jan 28 21:36:14 UTC 2012 

commit 24e06f6f3df12871d7b633c1629e14e9441c70f0
Author: Philip A. Prindeville <philipp at redfish-solutions.com>
Date:   Sat Jan 28 14:33:56 2012 -0700

    By default, selinux-policy-targeted doesn't allow httpd to open
    outbound sockets. These would be, of course, required to have
    proxy service offered by mod_proxy_html.
    
    Add instructions for admins pointing out the manual steps required
    to enable this for SElinux.

 README.selinux      |   10 ++++++++++
 mod_proxy_html.spec |   11 +++++++++--
 2 files changed, 19 insertions(+), 2 deletions(-)
---
diff --git a/README.selinux b/README.selinux
new file mode 100644
index 0000000..082983d
--- /dev/null
+++ b/README.selinux
@@ -0,0 +1,10 @@
+If you're running with selinux enforcing, httpd will not be able
+to initiate outbound connections by default (since it could thereby
+be used as a springboard for attacks).
+
+To enable connections to other http server instances, use:
+
+# setsebool httpd_can_network_relay 1
+
+of course, this presumes that your rewriting rules are well-written
+and sufficiently restrictive.
diff --git a/mod_proxy_html.spec b/mod_proxy_html.spec
index 4708944..eacfcec 100644
--- a/mod_proxy_html.spec
+++ b/mod_proxy_html.spec
@@ -1,11 +1,12 @@
 Summary: Output filter to rewrite HTML links in a proxy situation
 Name: mod_proxy_html
 Version: 3.1.2
-Release: 8%{?dist}
+Release: 9%{?dist}
 License: GPLv2
 Group: System Environment/Libraries
 URL: http://apache.webthing.com/mod_proxy_html/
 Source: http://apache.webthing.com/mod_proxy_html/mod_proxy_html-%{version}.tar.bz2
+Source1: README.selinux
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
 Requires: httpd-mmn = %(cat %{_includedir}/httpd/.mmn || echo missing)
 BuildRequires: libxml2-devel httpd-devel
@@ -30,7 +31,7 @@ an essential component of a reverse proxy.
 
 %install
 %{__rm} -rf %{buildroot}
-%{__mkdir_p} %{buildroot}/%{modulesdir}
+%{__mkdir_p} %{buildroot}/%{modulesdir} %{buildroot}/%{_docdir}/%{name}-%{version}
 %{_sbindir}/apxs -i -S LIBEXECDIR=%{buildroot}/%{modulesdir} -n mod_proxy_html mod_proxy_html.la
 %{_sbindir}/apxs -i -S LIBEXECDIR=%{buildroot}/%{modulesdir} -n mod_xml2enc mod_xml2enc.la
 install -m 644 -D proxy_html.conf %{buildroot}/%{confdir}.d/proxy_html.conf
@@ -43,6 +44,8 @@ install -m 644 -D proxy_html.conf %{buildroot}/%{confdir}.d/proxy_html.conf
 %endif
 	%{buildroot}/%{confdir}.d/proxy_html.conf
 
+install -m 444 -D %{SOURCE1} %{buildroot}/%{_docdir}/%{name}-%{version}/
+
 
 %clean
 %{__rm} -rf %{buildroot}
@@ -54,9 +57,13 @@ install -m 644 -D proxy_html.conf %{buildroot}/%{confdir}.d/proxy_html.conf
 %{modulesdir}/mod_xml2enc.so
 %config(noreplace) %lang(en) %{confdir}.d/proxy_html.conf
 %doc COPYING README
+%doc %{_docdir}/%{name}-%{version}/README.selinux
 
 
 %changelog
+* Sat Jan 28 2012 Philip Prindeville <philipp at fedoraproject.org> - 3.1.2-9
+- Add README about settings required for running under selinux.
+
 * Fri Jan 13 2012 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 3.1.2-8
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild

More information about the scm-commits mailing list