Nicklas Norling wrote:
Daniel J Walsh wrote:
Currently policy allows httpd to connect to relay ports and to
mysql/postgres ports.
Adding these booleans
* httpd_can_network_relay
* httpd_can_network_connect_db
And turning this feature off by default. This is going into tonights
reference policy and into FC4 test release.
If we had these turned off we would have prevented the last apache
worm virus.
This could cause problems for people who run httpd relays or have
their apache databases talking to mysql and postgres databases over
the network.
I'm sorry but I don't understand most of what you write. What is relay
ports? What worm are you refering to?
In the default targeted policy in FC4/RHEL4 apache is allowed to attach
to the Apache ports 80. 8080 and a few others like ftp etc. This
boolean would allow users who do not want their apache servers to be
able to connect out. Most apache servers do not relay requests to other
machines, and this would just enforce this policy. A worm that came out
over the last couple of months attacked PHP and apache and once a
machine was infected launched attacks on other web servers inside your
private network. If the new policy was in place this worm/attack would
have been thwarted. Apache currently is not allowed to connect to
random ports including the mail port. You have to turn that on a
boolean if you want apache to connect to these other ports. These new
booleans would just close all remaining ports that apache could connect to.
I find nothing googling and the latest worms I could find was a defect
in apache or openssl.
I'm conserned that this is going in without any discussion, or have I
missed somerhing?
This is the discussion. I have not put out a fc4 RELEASE YET. I am
looking for peoples comments before we turn this on.
I'm guessing most FC4 users having apache setup are using different
kind of applications in PHP, Python, Perl
etc. that they run. Forums, portals, Wikis, blogs etc. Most, if not
all, uses the network to connect to the local
email server and to store/retreive data from a database.
Connecting to the local database should not be a problem, since that
would be over a unix domain socket. Mail is currently shut off and you
need to turn on boolean to allow it.
Installing a policy that breaks their services will be
very determinental to the trust of selinux. I suppose those services
will be left semi-functional after such an update
and that manual intervention is required to restore service. That
would be close to a DOS attack in my oppinion.
We could leave the boolean turned on, but then most customers would not
get the security increase.
You can turn the features back on by executing:
setsebool -P httpd_can_network_relay=1
or
setsebool -P httpd_can_network_connect_db=1
Will consider adding this feature to RHEL in a future update.
Comments?
Please elaborate, what problem is being solved here? What will the
consequences be for end users?
It will prevent a hacked Apache/PHP server from being able to launch
attacks on other servers. The consequences for most users would be
nil. Some will break their service, until they set the boolean, if we
default to off.
Dan
/Nicke
--
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
