Daniel J Walsh wrote:
Robert L Cochran wrote:
Joe Orton wrote:
On Fri, Dec 09, 2005 at 03:58:14PM -0500, Daniel J Walsh wrote:
Currently policy allows httpd to connect to relay ports and to
mysql/postgres ports.
Adding these booleans
* httpd_can_network_relay
* httpd_can_network_connect_db
And turning this feature off by default. This is going into
tonights reference policy and into FC4 test release.
Do you mean FC4 or FC5? This should not go in an FC4 update
off-by-default since it will break working setups. Make it
on-by-default if you want to ship this to FC4 users and
off-by-default with a big release note for FC5.
What's the difference between httpd_can_network_relay and
httpd_can_network_connect?
Do we still have the problem that httpd cannot reap idle children
properly when the latter is set? That really really does need to
work by default.
joe
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I'd like to completely agree with Joe. I'm beginning to have quite a
lot invested in httpd, PHP and related database code and I don't want
SELinux breaking what is there without a lot of warning. For new
installs of FC4, I've been forced to turn off SELinux support for
these applications. They simply don't work otherwise.
Bob Cochran
Greenbelt. Maryland, USA
Have your reported your problems here or in bugzilla?
Yes I reported an error in fedora-selinux-list with this subject line:
"MySQL 5.0.4 Beta AVC Denied Messages". That was back in May, there was
no reply to the post. I don't think I've put anything in bugzilla. I
fixed the error by removing SELinux protection for the MySQL
application. I believe, but need to confirm, that I also turned it off
for php (I compile a lot of snapshots from snaps.php.net) on that
machine, too. I have since upgraded the machine to Fedora Core 4.
I can't remember whether I set that machine up with SELinux in
permissive or enforcing mode. But when I later installed MySQL 5 from
rpm's downloaded from dev.mysql.com, SELinux broke the startup script by
denying mysqld permission to start and thereby build the grant tables,
etc. Until a better solution comes along, I don't want SELinux breaking
my applications in this way. As a matter of fact, one enhancement I'd
like to see is SELinux emitting a user-friendly message in the logs
explaining how to turn on the functionality for an application it has
just denied. Something like this:
To turn this functionality on, go to Desktop --> System Settings --->
Security Level --> SELinux and....[more precise instructions presented
here].
It would also be nice to have preconfigured "application access levels"
an administrator can turn on or off rapidly. For example, if the machine
is intended to be used as a firewall, have an application access level
that would configure SELinux to let the right kind of firewall services
(iptables, for example) run correctly. This access level would be set up
to prevent gcc, perl, ruby or any other compiler from working if
installed. The idea is to introduce ease of use and adminstration to
SELinux.
I'm not an SELinux expert; I'm just trying to administer my own machines
on my own network and go about application development with a minimum of
interference and pain from security type software. If I can't get
SELinux to cooperate with me a little and provide a smooth solution for
not breaking my applications, I'll simply turn it off.
Bob Cochran
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
