SELinux should be off by default in FC3
Joe Orton
jorton at redhat.com
Fri Oct 8 16:38:37 UTC 2004
On Thu, Oct 07, 2004 at 04:33:34PM -0400, Colin Walters wrote:
> On Thu, 2004-10-07 at 17:36 +0100, Joe Orton wrote:
>
> > That's surely not the whole story if SELinux is on by default and Apache
> > is covered by the targetted policy. The fact seems to be that you have
> > to know and understand SELinux to be able to do the normal things you do
> > with Apache, e.g. write CGI scripts, or change httpd.conf.
>
> Following up on this a bit - it would be possible to weaken the Apache
> policy so that there are not separate types for user versus system
> content, or CGI script executables versus CGI data. You'd just have a
> single type, httpd_content_t. Then an administrator wouldn't have to
> know how to run chcon to relabel executable CGI scripts or mark data as
> readonly by the CGI script.
I'm just not convinced it's the right decision to apply SELinux policy
to Apache *by default*. New administrators have enough problems trying
to configure stuff as it is, without placing this invisible tripwire in
front of them.
It won't endear people to FC3 as a good web server platform if the PHP,
CGI scripts etc, hell, even running httpd -t "just doesn't work" out of
the box when it did in past releases. They will go back to "chuck away
the packaged stuff and build from sources" as that'll be the first thing
people will tell them when they ask the mailing lists and IRC channels.
joe
More information about the fedora-devel-list
mailing list