I was porting some DNS courseware lab exercises to RHEL4 and FC3/4 and the following came up. In the file: /etc/selinux/targeted/src/policy/domains/program/named.te There exists policy so that only "named" can read named configuration files. # A type for configuration files of named. type named_conf_t, file_type, sysadmfile; [snip] #read configuration files r_dir_file(named_t, named_conf_t) This is fine and works. The question comes then that the standard file owner and group and permission are more open (and have been historically). -rw-r--r-- 1 root root 1323 Aug 25 2004 /etc/named.conf Should the owner and group and permissions be made to match up with the SELinux policy? ie: chgrp named /etc/named.conf chmod 640 /etc/named.conf ala -rw-r----- 1 root named 1323 Aug 25 2004 /etc/named.conf How about this same question at a more general level. What is the current practice regarding syncing up and matching SELinux policy with the file owner/group and permissions? Is there a current defined practice? If not, should there be? :) Dax Kelson Guru Labs