SELinux should be off by default in FC3
Nathan G. Grennan
fedora-devel-list at cygnusx-1.org
Thu Oct 7 07:07:19 UTC 2004
On Thu, 2004-10-07 at 00:06 -0400, Colin Walters wrote:
> You can copy instead of moving, that will cause the newly created file
> to inherit the target directory's security context.
>
So the move command is obsolete, and all users will figure this out and
accept it?
> It's a good thing that a bit of work is required to expose your personal
> data to the web server.
It should be obvious that I am exposing it when I move it
to /var/www/html.
> If you upload via FTP directly to the web site, then it will Just Work.
> If you upload to your home directory and then rename to the website
> directory (which seems rather odd to me), then yes, you will need to
> relabel. And normal users can do this, just run:
>
I have seen users accidentally upload data to /home/user, instead
of /home/public_html and then move it. A user may also want to upload
big files like isos before a release to /home/user, and then move them
into /home/user/public_html when the time is right. Users will do all
kinds of things you can think of doing.
> You can disable SELinux protection just for Apache if you like, run
> system-config-securitylevel.
So it is good to be broken out of the box? This is also just one case
with one service. I am sure many more such problems will come up. I
think that SELinux should be more transparent to the user before
becoming the default.
More information about the fedora-devel-list
mailing list