[Fwd: Re: who provides /etc/sysconfig/selinux?]
Daniel J Walsh
dwalsh at redhat.com
Fri Jun 4 18:30:40 UTC 2004
Stephen Smalley wrote:
>On Fri, 2004-06-04 at 10:53, Daniel J Walsh wrote:
>
>
>>Todays selinux-polcy-* RPMS attempt to handle the /etc/selinux/config
>>and /etc/sysconfig/selinux files in the post install.
>>
>>Please check them out.
>>
>>
>
>Shouldn't it default to SELINUX=permissive in the absence of any
>/etc/sysconfig/selinux file?
>
>
>
No, Well the only way this should happen is on a fresh install or a
disabled SELinux box. I don't like permissive because we end up with to
many false AVC Messages. A fresh install should put down proper context
and with targeted policy, enforcing should work out of the box. Also I
have a concern about people forgetting to change permissive to
enforcing, and having a false sence of security.
>Do we need a dependency on the newer libselinux, policycoreutils, and
>SysVinit that are aware of the new policy locations?
>
>
>
Probably. Any application that uses default contexts needs to use the
new library.
More information about the selinux
mailing list