Joe Orton wrote:
On Mon, Aug 15, 2005 at 11:59:52AM -0400, Daniel J Walsh wrote:
can_network(httpd_t)
can_kerberos(httpd_t)
can_resolve(httpd_t)
can_ypbind(httpd_t)
can_ldap(httpd_t)
allow httpd_t { http_port_t http_cache_port_t }:tcp_socket name_bind;
# allow httpd to connect to mysql/posgresql
allow httpd_t { postgresql_port_t mysqld_port_t }:tcp_socket name_connect;
# allow httpd to work as a relay
allow httpd_t { gopher_port_t ftp_port_t http_port_t http_cache_port_t
}:tcp_socket name_connect;
So this would allow connections to ports 80, 8080, etc etc?
Yes, that looks sufficient, but it does seem to defeat the point of
having the boolean in the first place :)
Yes and know, Since the main goal is to stop spamming we have prevented
this. I could add another boolean on by default that allowed
httpd_relay or something.
joe
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
