Currently policy allows httpd to connect to relay ports and to
mysql/postgres ports.
Adding these booleans
* httpd_can_network_relay
* httpd_can_network_connect_db
And turning this feature off by default. This is going into tonights
reference policy and into FC4 test release.
If we had these turned off we would have prevented the last apache worm
virus.
This could cause problems for people who run httpd relays or have their
apache databases talking to mysql and postgres databases over the network.
You can turn the features back on by executing:
setsebool -P httpd_can_network_relay=1
or
setsebool -P httpd_can_network_connect_db=1
Will consider adding this feature to RHEL in a future update.
Comments?
Dan
--
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
