[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: SELinux should be off by default in FC3



On Thu, 2004-10-07 at 00:06 -0400, Colin Walters wrote: 
> You can copy instead of moving, that will cause the newly created file
> to inherit the target directory's security context.
> 

So the move command is obsolete, and all users will figure this out and
accept it?

> It's a good thing that a bit of work is required to expose your personal
> data to the web server.

It should be obvious that I am exposing it when I move it
to /var/www/html.

> If you upload via FTP directly to the web site, then it will Just Work.
> If you upload to your home directory and then rename to the website
> directory (which seems rather odd to me), then yes, you will need to
> relabel.  And normal users can do this, just run:
> 

I have seen users accidentally upload data to /home/user, instead
of /home/public_html and then move it. A user may also want to upload
big files like isos before a release to /home/user, and then move them
into /home/user/public_html when the time is right. Users will do all
kinds of things you can think of doing.

> You can disable SELinux protection just for Apache if you like, run
> system-config-securitylevel.

So it is good to be broken out of the box? This is also just one case
with one service. I am sure many more such problems will come up. I
think that SELinux should be more transparent to the user before
becoming the default.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]