SELinux should be off by default in FC3

[Stephen J. Smoogen]

On Fri, 8 Oct 2004 17:38:37 +0100, Joe Orton <jorton at redhat.com> wrote:
> On Thu, Oct 07, 2004 at 04:33:34PM -0400, Colin Walters wrote:
> > On Thu, 2004-10-07 at 17:36 +0100, Joe Orton wrote:
> >
> > > That's surely not the whole story if SELinux is on by default and Apache
> > > is covered by the targetted policy.  The fact seems to be that you have
> > > to know and understand SELinux to be able to do the normal things you do
> > > with Apache, e.g. write CGI scripts, or change httpd.conf.
> >
> > Following up on this a bit - it would be possible to weaken the Apache
> > policy so that there are not separate types for user versus system
> > content, or CGI script executables versus CGI data.  You'd just have a
> > single type, httpd_content_t.  Then an administrator wouldn't have to
> > know how to run chcon to relabel executable CGI scripts or mark data as
> > readonly by the CGI script.
> 
> I'm just not convinced it's the right decision to apply SELinux policy
> to Apache *by default*.  New administrators have enough problems trying
> to configure stuff as it is, without placing this invisible tripwire in
> front of them.
> 
> It won't endear people to FC3 as a good web server platform if the PHP,
> CGI scripts etc, hell, even running httpd -t "just doesn't work" out of
> the box when it did in past releases.  They will go back to "chuck away
> the packaged stuff and build from sources" as that'll be the first thing
> people will tell them when they ask the mailing lists and IRC channels.
> 
> 

They can also install everything as setuid and root.. and give someone
the root password to help them set it up.. if they listen to the wrong
people on mailling lists and IRC channels.

People can also just turn off selinux with a one liner and a reboot if
they dont have the time, inclination, or energy to learn a new
security mechanism.

-- 
Stephen J Smoogen.
Professional System Administrator