Adding two new booleans to httpd to tighten it's security.
Daniel J Walsh
dwalsh at redhat.com
Fri Dec 9 20:58:14 UTC 2005
Currently policy allows httpd to connect to relay ports and to
mysql/postgres ports.
Adding these booleans
* httpd_can_network_relay
* httpd_can_network_connect_db
And turning this feature off by default. This is going into tonights
reference policy and into FC4 test release.
If we had these turned off we would have prevented the last apache worm
virus.
This could cause problems for people who run httpd relays or have their
apache databases talking to mysql and postgres databases over the network.
You can turn the features back on by executing:
setsebool -P httpd_can_network_relay=1
or
setsebool -P httpd_can_network_connect_db=1
Will consider adding this feature to RHEL in a future update.
Comments?
Dan
--
More information about the fedora-selinux-list
mailing list