Daniel J Walsh wrote:
Currently policy allows httpd to connect to relay ports and to
mysql/postgres ports.
Adding these booleans
* httpd_can_network_relay
* httpd_can_network_connect_db
And turning this feature off by default. This is going into tonights
reference policy and into FC4 test release.
If we had these turned off we would have prevented the last apache
worm virus.
This could cause problems for people who run httpd relays or have
their apache databases talking to mysql and postgres databases over
the network.
I'm sorry but I don't understand most of what you write. What is relay
ports? What worm are you refering to?
I find nothing googling and the latest worms I could find was a defect
in apache or openssl.
I'm conserned that this is going in without any discussion, or have I
missed somerhing?
I'm guessing most FC4 users having apache setup are using different kind
of applications in PHP, Python, Perl
etc. that they run. Forums, portals, Wikis, blogs etc. Most, if not all,
uses the network to connect to the local
email server and to store/retreive data from a database. Installing a
policy that breaks their services will be
very determinental to the trust of selinux. I suppose those services
will be left semi-functional after such an update
and that manual intervention is required to restore service. That would
be close to a DOS attack in my oppinion.
You can turn the features back on by executing:
setsebool -P httpd_can_network_relay=1
or
setsebool -P httpd_can_network_connect_db=1
Will consider adding this feature to RHEL in a future update.
Comments?
Please elaborate, what problem is being solved here? What will the
consequences be for end users?
Dan
/Nicke
--
JID nicke@xxxxxxxxxxxxx
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
