SELinux should be off by default in FC3
Colin Walters
walters at redhat.com
Thu Oct 7 15:54:35 UTC 2004
On Thu, 2004-10-07 at 09:25 -0500, Chris Adams wrote:
> Once upon a time, Stephen Smalley <sds at epoch.ncsc.mil> said:
> > > The goal of the default selinux policy is to be invisible unless you're
> > > an exploit. Seems like it's not ;(
> >
> > Teaching users to use restorecon in the same manner as chmod/chown if
> > they want to export data to one of the confined services like apache is
> > not an undue burden.
>
> Lots of web users use FTP to upload files. FTP has a chmod command; it
> does not have commands to alter SELinux labels
Yes, that is a problem. Ideally we would get such support added.
Having SELinux support in the kernel and a few core utilities is only
the beginning - I'd like to see support for SELinux throughout all the
Linux tools, and for it to become as standard a part of Linux security
as the normal DAC is. With the default targeted policy I think we're on
the right path.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/devel/attachments/20041007/21c69561/attachment-0002.bin
More information about the devel
mailing list