Very useful that this has been introduced - but I had presumed that it applies only to non-local addresses. The httpd parent process needs to be able to make connections to the local address/ports to which the children are bound. After a period of load, when there are idle children stuck in accept(), the parent will make a few connect()s to wake them up. Can this policy be limited to non-local addresses? (the "child garbage collection" process is effectively broken-by-default at the moment) joe -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list
