SELinux should be off by default in FC3
Stephen Smalley
sds at epoch.ncsc.mil
Thu Oct 7 13:00:01 UTC 2004
On Thu, 2004-10-07 at 03:20, Arjan van de Ven wrote:
> On Thu, 2004-10-07 at 01:24, Nathan Grennan wrote:
> > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=127900
>
> > I don't think it is reasonable to have to relabel
> > every time a file is moved around to work around possible problems with
> > SELinux.
>
> sounds like apache should automatically relabel or something on start.
Consider the parallel for DAC: would you recommend having apache run
chown/chmod -R on /var/www on every start? Not a good idea for
relabeling either.
> The goal of the default selinux policy is to be invisible unless you're
> an exploit. Seems like it's not ;(
Teaching users to use restorecon in the same manner as chmod/chown if
they want to export data to one of the confined services like apache is
not an undue burden. Note that SELinux isn't preventing the user from
doing what he wants; it is just preventing a confined service (apache)
from accessing a file whose protections indicate that it shouldn't be
accessible. No different than the user moving a file there without
applying chown/chmod appropriately.
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the devel
mailing list