On March 13, 2011 14:18 , Dominick Grift <domg472@xxxxxxxxx> wrote: >> No traffic is allowed through because httpd does not have >> permission for name_connect. And if I add a rule to permit this >> (equivalent to setting the httpd_can_network_connect boolean) then httpd >> can connect via ALL interfaces, not just via the loopback interface. > Yes but can it also use the connection? I mean if it can name_connect > but not really use the connection because it cant egress, ingress or > whatever then you may be able to achieve your goals also. Yes, my test script (running under httpd) is able to connect to a web server via all interfaces (including eth0) and retreive data if I permit name_connect, regardless of whether I'm labeling the loopback interface, labeling packets on the interface, or not doing anything else at all. I'd like for httpd to be able to do this but only via the loopback interface, specifically excluding eth0 and all other interfaces. I'm still investigating the feasibility of permitting all system calls and all ports, but labeling ALL packets to and from httpd via all interfaces. This seems like it would be a fairly big change to the httpd targeted policy, though, so any other suggestions are very welcome. -- Mark Montague mark@xxxxxxxxxxx -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
