From: janfrode@tanso.net (Jan-Frode Myklebust) Date: Tue, 21 Apr 2009 22:17:24 +0200 Subject: [refpolicy] add policy for haproxy In-Reply-To: <1240343395.19211.773.camel@gorn.columbia.tresys.com> References: <20090318223522.GA14675@janfrode.ibm.com> <1240343395.19211.773.camel@gorn.columbia.tresys.com> Message-ID: <20090421201724.GA4270@janfrode.ibm.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, Apr 21, 2009 at 03:49:55PM -0400, Christopher J. PeBenito wrote: > * please have a better

in the .if. "Policy for haproxy" is > obvious. Something like "HAProxy TCP/HTTP Load Balancer" would be > better. OK, will fix. > * haproxy_port_t isn't used. New ports need to go in corenetwork. Yes, probably don't need this one after all.. > * Does it really need to bind and connect to all ports? It's a general tcp proxy service, so it might need to bind/connect on any port. But one haproxy-installation will typically only need to bind/connect to the ports it's proxying for. Do you think maybe we should use booleans like: haproxy_bindconnect_any haproxy_bindconnect_http (to bind/connect to http_port_t) haproxy_bindconnect_smtp (to bind/connect to smtp_port_t) haproxy_bindconnect_pop (to bind/connect to pop_port_t) haproxy_bindconnect_db (to bind/connect to same as httpd_can_network_connect_db) ... Do you have any suggestions for how to achieve this without creating too many booleans ? -jf -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20090421/661ee0b3/attachment.bin