On Thu, Mar 19, 2009 at 08:38:36AM +0100, Willy Tarreau wrote: > > believe it or not, I've never experimented at all with selinux.
Yea, I wouldn't have guessed it, but you're doing a fine job developing haproxy. I'm really impressed by it! So please keep your focus there :-) > However, > reading your config files, it looks appealing. I'll merge your work into > 1.3.16, as there's already a contrib dir with various things there. It's a very simple policy, allowing haproxy to read the needed files in /etc, and read/write/create/unlink it's own PID and socket files. On the networking side it's allowed to bind to all tcp-ports, and send/receive from any to any. Other selinux policies (f.ex. for httpd, or squid), are more limiting on what the services are allowed to connect to. The squid-policy only allows squid to connect to ftp, gopher*, http, http-cache and pgpkeyserver-ports by default, and provide a boolean variable to change the policy to allow it to connect to any ports. We should maybe do something similar for haproxy. Default let it listen on, and connect to http-ports only, with switch for allowing all ports. [*] Good to see selinux is gopher compliant http://xkcd.com/554/ :-) -jf
pgpSpJ9bX3kwG.pgp
Description: PGP signature
