Adding two new booleans to httpd to tighten it's security.
Daniel J Walsh
dwalsh at redhat.com
Sat Dec 10 17:54:09 UTC 2005
Nicolas Mailhot wrote:
> Nicklas Norling wrote:
>
>> Daniel J Walsh wrote:
>>
>>
>>> Currently policy allows httpd to connect to relay ports and to
>>> mysql/postgres ports.
>>>
>>> Adding these booleans
>>> * httpd_can_network_relay
>>> * httpd_can_network_connect_db
>>>
>>> And turning this feature off by default. This is going into tonights
>>> reference policy and into FC4 test release.
>>> If we had these turned off we would have prevented the last apache
>>> worm virus.
>>>
>
> I'd really appreciate if more effort was expanded in fixing existing
> AVCs rather than adding new blocking rules.
>
Which avc's are you talking about. We have been working hard to fix all
avc's when we can.
> The current ruleset is already strong enough a lot of people just turn
> off selinux, perfect security isn't much use if no one enables it.
>
>
Most people turned off firewall support in the beginning also. These
rules should not effect 90 % of apache SELinux users
and will further secure those same users.
> I'd rather aim for imperfect security some users actually use.
>
We are trying to work to a happy medium of security with as little pain
as possible.
--
More information about the selinux
mailing list