Nicklas Norling wrote:
Daniel J Walsh wrote:
>
> Currently policy allows httpd to connect to relay ports and to
> mysql/postgres ports.
>
> Adding these booleans
> * httpd_can_network_relay
> * httpd_can_network_connect_db
>
> And turning this feature off by default. This is going into tonights
> reference policy and into FC4 test release.
> If we had these turned off we would have prevented the last apache
> worm virus.
I'd really appreciate if more effort was expanded in fixing existing
AVCs rather than adding new blocking rules.
The current ruleset is already strong enough a lot of people just turn
off selinux, perfect security isn't much use if no one enables it.
I'd rather aim for imperfect security some users actually use.
--
Nicolas Mailhot