[Bug 164992] New: Mod_proxy does not work with SElinux default policy
Daniel J Walsh
dwalsh at redhat.com
Mon Aug 15 15:21:51 UTC 2005
Joe Orton wrote:
>On Mon, Aug 08, 2005 at 04:40:42PM +0100, Joe Orton wrote:
>
>
>>On Fri, Aug 05, 2005 at 02:49:37PM -0400, Daniel J Walsh wrote:
>>
>>
>>>Joe Orton wrote:
>>>
>>>
>>>>No, when mod_proxy is used as a generic HTTP proxy (a not entirely
>>>>uncommon configuration) it needs to be able to connect to any remote
>>>>port on any remote address.
>>>>
>>>>
>>>>
>>>>
>>>Defaulting apache to can_network_connect_any=1 could allow a subverted
>>>apache web server to be setup as a spammer, or a launch site for further
>>>attacks. So I don't think this would be a good idea.
>>>
>>>
>>Currently the following is known to be broken in the default
>>configuration:
>>
>>
>
>Another one, https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=165592
>
>4) web applications which connect to remote LDAP databases, and
>similarly, I guess, the Apache LDAP-based authentication module, if
>configured to use remote LDAP databases.
>
>--
>fedora-selinux-list mailing list
>fedora-selinux-list at redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
Latest policy has
can_ldap(httpd_t) which should allow httpd scripts to connect to the
ldap port. Could I give a similar connect to mysql to solve your problem?
--
More information about the selinux
mailing list