SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Research Skip Research Menus Research Menu Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List Re: Adding two new booleans to httpd to tighten it's security. This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ Maybe in reply to ] [ Next in thread ] From: Daniel J Walsh <dwalsh_at_redhat.com> Date: Mon, 12 Dec 2005 23:14:35 -0500 Joe Orton wrote: > On Fri, Dec 09, 2005 at 03:58:14PM -0500, Daniel J Walsh wrote: > >> Currently policy allows httpd to connect to relay ports and to >> mysql/postgres ports. >> >> Adding these booleans >> httpd_can_network_relay* >> httpd_can_network_connect_db* >> >> And turning this feature off by default. This is going into tonights >> reference policy and into FC4 test release. >> > > Do you mean FC4 or FC5? This should not go in an FC4 update > off-by-default since it will break working setups. Make it > on-by-default if you want to ship this to FC4 users and off-by-default > with a big release note for FC5. > Ok plan is to add this to FC4 With relay and database network connect turned on by default. > What's the difference between httpd_can_network_relay and > httpd_can_network_connect? > They are just more specific. They allow specific connections to relay ports (http, ftp, gopher etc) and database ports (mysql and postgres). > Do we still have the problem that httpd cannot reap idle children > properly when the latter is set? That really really does need to work > by default. > > Do you have a bugzilla for this? > joe > -- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Received on Mon 12 Dec 2005 - 23:22:53 EST This message: [ Message body ] Next message: Daniel J Walsh: "Re: Adding two new booleans to httpd to tighten it's security." Previous message: Ivan Gyurdiev: "[SEMANAGE] Include guards for internal headers" Maybe in reply to: Daniel J Walsh: "Adding two new booleans to httpd to tighten it's security." Next in thread: Daniel J Walsh: "Re: Adding two new booleans to httpd to tighten it's security." Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom