first encounters with SELINUX, with some suggestions
Joe Orton
jorton at redhat.com
Tue Nov 16 10:51:01 UTC 2004
On Thu, Nov 11, 2004 at 05:03:36PM +0100, Thomas Vander Stichele wrote:
> Hi,
>
> > >
> > > - A lot of developers I know, including a bunch at Red Hat, *turn off
> > > SELINUX entirely*. IMO, something that gets pushed at heavily as this
> > > should be dogfooded by the development team at Red Hat completely, so
> > > they encounter firsthand what it means and how to fix basic issues.
> >
> > FWIW I have three machines here, of which two have SELinux always on in
> > enforcing mode, and the third sometimes on (dogfooding Rawhide here, so
> > sometimes things break...). They're all using the targeted policy.
>
> Oh, I'm sure there are developers dogfooding it. My point is that *all*
> of the Red Hat developers should be dogfooding it if you think SELINUX
> should be the default (which I assume is being thought since it's the
> default in anaconda).
I dogfood it on all my test boxes. But the reality is that if you use a
slightly non-default configuration for httpd or enable any of the
"interesting" modules, or use any interesting PHP webapps, etc, then you
are going to have to either write a shed-load of SELinux policy specific
to your configuration, or you're going to disable the httpd target in
s-c-securitylevel. That's just a fact of SELinux as far as I can tell.
The conclusion I draw from this is, as I've said before, that it's not
correct to have httpd covered by the SELinux policy *by default*.
joe
More information about the devel
mailing list