[refpolicy] add policy for haproxy
janfrode at tanso.net
Tue Apr 21 15:17:24 CDT 2009
On Tue, Apr 21, 2009 at 03:49:55PM -0400, Christopher J. PeBenito wrote:
> * please have a better <summary> in the .if. "Policy for haproxy" is
> obvious. Something like "HAProxy TCP/HTTP Load Balancer" would be
OK, will fix.
> * haproxy_port_t isn't used. New ports need to go in corenetwork.
Yes, probably don't need this one after all..
> * Does it really need to bind and connect to all ports?
It's a general tcp proxy service, so it might need to bind/connect on
any port. But one haproxy-installation will typically only need to
bind/connect to the ports it's proxying for. Do you think maybe we
should use booleans like:
haproxy_bindconnect_http (to bind/connect to http_port_t)
haproxy_bindconnect_smtp (to bind/connect to smtp_port_t)
haproxy_bindconnect_pop (to bind/connect to pop_port_t)
haproxy_bindconnect_db (to bind/connect to same as httpd_can_network_connect_db)
Do you have any suggestions for how to achieve this without creating too
many booleans ?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20090421/661ee0b3/attachment.bin
More information about the refpolicy