Nicklas Norling wrote: > Daniel J Walsh wrote: > >> >> Currently policy allows httpd to connect to relay ports and to >> mysql/postgres ports. >> >> Adding these booleans >> * httpd_can_network_relay >> * httpd_can_network_connect_db >> >> And turning this feature off by default. This is going into tonights >> reference policy and into FC4 test release. >> If we had these turned off we would have prevented the last apache >> worm virus. I'd really appreciate if more effort was expanded in fixing existing AVCs rather than adding new blocking rules. The current ruleset is already strong enough a lot of people just turn off selinux, perfect security isn't much use if no one enables it. I'd rather aim for imperfect security some users actually use. -- Nicolas Mailhot -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
