SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Skip Research Menus

Research Menu

Research Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List Re: Adding two new booleans to httpd to tighten it's security. This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ Maybe in reply to ] [ Next in thread ] [ Replies ] From: Daniel J Walsh <dwalsh_at_redhat.com> Date: Mon, 12 Dec 2005 23:15:50 -0500 Robert L Cochran wrote: > Joe Orton wrote: > >> On Fri, Dec 09, 2005 at 03:58:14PM -0500, Daniel J Walsh wrote: >> >> >>> Currently policy allows httpd to connect to relay ports and to >>> mysql/postgres ports. >>> >>> Adding these booleans >>> httpd_can_network_relay* >>> httpd_can_network_connect_db* >>> >>> And turning this feature off by default. This is going into >>> tonights reference policy and into FC4 test release. >>> >> >> Do you mean FC4 or FC5? This should not go in an FC4 update >> off-by-default since it will break working setups. Make it >> on-by-default if you want to ship this to FC4 users and >> off-by-default with a big release note for FC5. >> >> What's the difference between httpd_can_network_relay and >> httpd_can_network_connect? >> >> Do we still have the problem that httpd cannot reap idle children >> properly when the latter is set? That really really does need to >> work by default. >> >> joe >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list@redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> >> >> >> > I'd like to completely agree with Joe. I'm beginning to have quite a > lot invested in httpd, PHP and related database code and I don't want > SELinux breaking what is there without a lot of warning. For new > installs of FC4, I've been forced to turn off SELinux support for > these applications. They simply don't work otherwise. > > Bob Cochran > Greenbelt. Maryland, USA > > Have your reported your problems here or in bugzilla? -- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Received on Mon 12 Dec 2005 - 23:24:19 EST This message: [ Message body ] Next message: Pax Dickinson: "SELinux patent issues?" Previous message: Daniel J Walsh: "Re: Adding two new booleans to httpd to tighten it's security." Maybe in reply to: Daniel J Walsh: "Adding two new booleans to httpd to tighten it's security." Next in thread: Tom London: "Re: Adding two new booleans to httpd to tighten it's security." Reply: Tom London: "Re: Adding two new booleans to httpd to tighten it's security." Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom