On Mon, 11 Jul 2005 15:35:41 MDT, Dax Kelson said:
Should the owner and group and permissions be made to match up with
the
SELinux policy? ie:
chgrp named /etc/named.conf
chmod 640 /etc/named.conf
No.
First off, there's the distinction between strict and targeted policy - if
you *really* wanted to mirror that, strict should have chmod 640, but targeted
should have chmod 644 (because Joe User running in unconfined_t will be allowed
to 'more /etc/named.conf').
Secondly, you want to keep the Unix permissions/owners consistent with systems
that *don't* run SELinux. Otherwise, you *will* go nuts trying to troubleshoot
a permissions problem as systems get divergent settings on them.
Of course, if 'chmod 640 /etc/named.conf' makes sense *even on a non-SELinux*
system (are there any sensitive passwords/etc in there? I don't remember BIND
having any such, but...) then by all means the change should be made...