Adding two new booleans to httpd to tighten it's security.

Sat Dec 10 18:03:28 UTC 2005

Nicklas Norling wrote:
> Daniel J Walsh wrote:
>
>>
>> Currently policy allows httpd to connect to relay ports and to 
>> mysql/postgres ports.
>>
>> Adding these booleans
>>    * httpd_can_network_relay
>>    * httpd_can_network_connect_db
>>
>> And turning this feature off by default.  This is going into tonights 
>> reference policy and into FC4 test release.
>> If we had these turned off we would have prevented the last apache 
>> worm virus.
>> This could cause problems for people who run httpd relays or have 
>> their apache databases talking to mysql and postgres databases over 
>> the network.
>>
> I'm sorry but I don't understand most of what you write. What is relay 
> ports? What worm are you refering to?
In the default targeted policy in FC4/RHEL4 apache is allowed to attach 
to the Apache ports 80. 8080 and a few others like ftp etc.  This 
boolean would allow users who do not want their apache servers to be 
able to connect out.  Most apache servers do not relay requests to other 
machines, and this would just enforce this policy.  A worm that came out 
over the last couple of months attacked PHP and apache and once a 
machine was infected launched attacks on other web servers inside your 
private network.  If the new policy was in place this worm/attack would 
have been thwarted.  Apache currently is not allowed to connect to 
random ports including the mail port.  You have to turn that on a 
boolean if you want apache to connect to these other ports.  These new
booleans would just close all remaining ports that apache could connect to.
> I find nothing googling and the latest worms I could find was a defect 
> in apache or openssl.
> I'm conserned that this is going in without any discussion, or have I 
> missed somerhing?
This is the discussion.  I have not put out a fc4 RELEASE YET.  I am 
looking for peoples comments before we turn this on.
> I'm guessing most FC4 users having apache setup are using different 
> kind of applications in PHP, Python, Perl
> etc. that they run. Forums, portals, Wikis, blogs etc. Most, if not 
> all, uses the network to connect to the local
> email server and to store/retreive data from a database.  
Connecting to the local database should not be a problem, since that 
would be over a unix domain socket.  Mail is currently shut off and you 
need to turn on  boolean to allow it. 

> Installing a policy that breaks their services will be
> very determinental to the trust of selinux. I suppose those services 
> will be left semi-functional after such an update
> and that manual intervention is required to restore service. That 
> would be close to a DOS attack in my oppinion.
>
We could leave the boolean turned on, but then most customers would not 
get the security increase.
>> You can turn the features back on by executing:
>> setsebool -P httpd_can_network_relay=1
>> or
>> setsebool -P httpd_can_network_connect_db=1
>>
>> Will consider adding this feature to RHEL in a future update.
>>
>> Comments?
>
> Please elaborate, what problem is being solved here? What will the 
> consequences be for end users?
>
It will prevent a hacked Apache/PHP server from being able to launch 
attacks on other servers.  The consequences for most users would be 
nil.  Some will break their service, until they set the boolean, if we 
default to off.
>>
>> Dan
>>
> /Nicke
>


--