[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: SELinux should be off by default in FC3



On Thu, 2004-10-07 at 03:20, Arjan van de Ven wrote:
> On Thu, 2004-10-07 at 01:24, Nathan Grennan wrote:
> > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=127900
> 
> >  I don't think it is reasonable to have to relabel
> > every time a file is moved around to work around possible problems with
> > SELinux. 
> 
> sounds like apache should automatically relabel or something on start.

Consider the parallel for DAC:  would you recommend having apache run
chown/chmod -R on /var/www on every start?  Not a good idea for
relabeling either.

> The goal of the default selinux policy is to be invisible unless you're
> an exploit. Seems like it's not ;(

Teaching users to use restorecon in the same manner as chmod/chown if
they want to export data to one of the confined services like apache is
not an undue burden.  Note that SELinux isn't preventing the user from
doing what he wants; it is just preventing a confined service (apache)
from accessing a file whose protections indicate that it shouldn't be
accessible.  No different than the user moving a file there without
applying chown/chmod appropriately.

-- 
Stephen Smalley <sds epoch ncsc mil>
National Security Agency


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]