The page http://directory.fedoraproject.org/wiki/Install_Guide suggests putting selinux into permissive mode. Why? I've not seen any problems running the directory server under enforcing (either fedora-ds-base from extras or the full install).
It's not a great idea for on Fedora security technology to suggest disabling another . . .
Karl
Karl MacMillan wrote:
The page http://directory.fedoraproject.org/wiki/Install_Guide suggests putting selinux into permissive mode. Why? I've not seen any problems running the directory server under enforcing (either fedora-ds-base from extras or the full install).
Without looking I suspect it is because the newer packages fit into the filesystem better so are probably covered by existing SELinux rules. When it was installed in /opt/fedora-ds alone there was no security context covering it.
It probably heavily depends on which release you're installing it onto as well.
rob
On Wed, 2007-05-09 at 14:16 -0400, Rob Crittenden wrote:
Karl MacMillan wrote:
The page http://directory.fedoraproject.org/wiki/Install_Guide suggests putting selinux into permissive mode. Why? I've not seen any problems running the directory server under enforcing (either fedora-ds-base from extras or the full install).
Without looking I suspect it is because the newer packages fit into the filesystem better so are probably covered by existing SELinux rules. When it was installed in /opt/fedora-ds alone there was no security context covering it.
Installing into /opt of a recent rawhide showed no problems. Even if it was a problem it would have been a _very_ easy fix either in the policy package or the directory server packages.
It probably heavily depends on which release you're installing it onto as well.
I think that we need to work to resolve any issues and remove that suggestion. At the very least it needs to specify specific OS and directory server releases.
That blanket statement is very harmful and unnecessary.
I'll be happy to help you resolve any issues - just give me the specific problems that you are seeing.
Karl
Karl MacMillan wrote:
On Wed, 2007-05-09 at 14:16 -0400, Rob Crittenden wrote:
Karl MacMillan wrote:
The page http://directory.fedoraproject.org/wiki/Install_Guide suggests putting selinux into permissive mode. Why? I've not seen any problems running the directory server under enforcing (either fedora-ds-base from extras or the full install).
Without looking I suspect it is because the newer packages fit into the filesystem better so are probably covered by existing SELinux rules. When it was installed in /opt/fedora-ds alone there was no security context covering it.
Installing into /opt of a recent rawhide showed no problems. Even if it was a problem it would have been a _very_ easy fix either in the policy package or the directory server packages.
Try RHEL4. I know Dan Walsh did a lot of work to write SELinux policies for DS in FC5 or 6, which are also in rawhide.
It probably heavily depends on which release you're installing it onto as well.
I think that we need to work to resolve any issues and remove that suggestion. At the very least it needs to specify specific OS and directory server releases.
Definitely.
That blanket statement is very harmful and unnecessary.
I'll be happy to help you resolve any issues - just give me the specific problems that you are seeing.
Karl
-- Fedora-directory-devel mailing list Fedora-directory-devel@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-devel
On Wed, 2007-05-09 at 12:39 -0600, Richard Megginson wrote:
Karl MacMillan wrote:
On Wed, 2007-05-09 at 14:16 -0400, Rob Crittenden wrote:
Karl MacMillan wrote:
The page http://directory.fedoraproject.org/wiki/Install_Guide suggests putting selinux into permissive mode. Why? I've not seen any problems running the directory server under enforcing (either fedora-ds-base from extras or the full install).
Without looking I suspect it is because the newer packages fit into the filesystem better so are probably covered by existing SELinux rules. When it was installed in /opt/fedora-ds alone there was no security context covering it.
Installing into /opt of a recent rawhide showed no problems. Even if it was a problem it would have been a _very_ easy fix either in the policy package or the directory server packages.
Try RHEL4. I know Dan Walsh did a lot of work to write SELinux policies for DS in FC5 or 6, which are also in rawhide.
Do you have a test environment on RHEL 4 I can access - I don't have one quickly available.
Thanks - Karl
It probably heavily depends on which release you're installing it onto as well.
I think that we need to work to resolve any issues and remove that suggestion. At the very least it needs to specify specific OS and directory server releases.
Definitely.
That blanket statement is very harmful and unnecessary.
I'll be happy to help you resolve any issues - just give me the specific problems that you are seeing.
Karl
-- Fedora-directory-devel mailing list Fedora-directory-devel@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-devel
-- Fedora-directory-devel mailing list Fedora-directory-devel@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-devel
389-devel@lists.fedoraproject.org
-
Karl MacMillan -
Rich Megginson -
Rob Crittenden