On Fri, Dec 09, 2005 at 03:58:14PM -0500, Daniel J Walsh wrote: > > Currently policy allows httpd to connect to relay ports and to > mysql/postgres ports. > > Adding these booleans > * httpd_can_network_relay > * httpd_can_network_connect_db > > And turning this feature off by default. This is going into tonights > reference policy and into FC4 test release. Do you mean FC4 or FC5? This should not go in an FC4 update off-by-default since it will break working setups. Make it on-by-default if you want to ship this to FC4 users and off-by-default with a big release note for FC5. What's the difference between httpd_can_network_relay and httpd_can_network_connect? Do we still have the problem that httpd cannot reap idle children properly when the latter is set? That really really does need to work by default. joe -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
