Proposal: ReadOnlyDirectories /etc and /usr for network-services
Miloslav Trmač
mitr at volny.cz
Thu Jul 25 19:26:46 UTC 2013
On Thu, Jul 25, 2013 at 6:36 PM, Reindl Harald <h.reindl at thelounge.net> wrote:
> if you are able to marry pure-ftpd, samba and 250 cms-installations predictable
> on a machine running also *self developed* managment-software for a complete
> infrastructure on 20 Fedora servers with SElinux go ahead :-)
>
> been there done that and it makes thiings so secure that they are completly
> unuseable because you are searching all day long for problems acess denied
> here and there
That can happen with SELinux when the application does something
unanticipated by the policy writers. It can also happen just the same
with ReadOnly Directories, for just the same reason, can't it?
I suppose there may a difference in how often that happens - "/usr is
read only" is a fairly well-targeted heuristics, OTOH "/usr is read
only" also leaves a large part of the system completely unprotected.
Mirek
More information about the devel
mailing list