Robert L Cochran wrote:
Joe Orton wrote:
On Fri, Dec 09, 2005 at 03:58:14PM -0500, Daniel J Walsh wrote:
Currently policy allows httpd to connect to relay ports and to
mysql/postgres ports.
Adding these booleans
* httpd_can_network_relay
* httpd_can_network_connect_db
And turning this feature off by default. This is going into
tonights reference policy and into FC4 test release.
Do you mean FC4 or FC5? This should not go in an FC4 update
off-by-default since it will break working setups. Make it
on-by-default if you want to ship this to FC4 users and
off-by-default with a big release note for FC5.
What's the difference between httpd_can_network_relay and
httpd_can_network_connect?
Do we still have the problem that httpd cannot reap idle children
properly when the latter is set? That really really does need to
work by default.
joe
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I'd like to completely agree with Joe. I'm beginning to have quite a
lot invested in httpd, PHP and related database code and I don't want
SELinux breaking what is there without a lot of warning. For new
installs of FC4, I've been forced to turn off SELinux support for
these applications. They simply don't work otherwise.
Bob Cochran
Greenbelt. Maryland, USA
Have your reported your problems here or in bugzilla?
--
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
