[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: first encounters with SELINUX, with some suggestions



On Thu, Nov 11, 2004 at 05:03:36PM +0100, Thomas Vander Stichele wrote:
> Hi,
> 
> > > 
> > > - A lot of developers I know, including a bunch at Red Hat, *turn off
> > > SELINUX entirely*.  IMO, something that gets pushed at heavily as this
> > > should be dogfooded by the development team at Red Hat completely, so
> > > they encounter firsthand what it means and how to fix basic issues.
> > 
> > FWIW I have three machines here, of which two have SELinux always on in
> > enforcing mode, and the third sometimes on (dogfooding Rawhide here, so
> > sometimes things break...).  They're all using the targeted policy.
> 
> Oh, I'm sure there are developers dogfooding it.  My point is that *all*
> of the Red Hat developers should be dogfooding it if you think SELINUX
> should be the default (which I assume is being thought since it's the
> default in anaconda).

I dogfood it on all my test boxes.  But the reality is that if you use a
slightly non-default configuration for httpd or enable any of the
"interesting" modules, or use any interesting PHP webapps, etc, then you
are going to have to either write a shed-load of SELinux policy specific
to your configuration, or you're going to disable the httpd target in
s-c-securitylevel.  That's just a fact of SELinux as far as I can tell.

The conclusion I draw from this is, as I've said before, that it's not
correct to have httpd covered by the SELinux policy *by default*.

joe


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]