[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: SELinux should be off by default in FC3



On Thu, 2004-10-07 at 09:25 -0500, Chris Adams wrote:
> Once upon a time, Stephen Smalley <sds epoch ncsc mil> said:
> > > The goal of the default selinux policy is to be invisible unless you're
> > > an exploit. Seems like it's not ;(
> > 
> > Teaching users to use restorecon in the same manner as chmod/chown if
> > they want to export data to one of the confined services like apache is
> > not an undue burden.
> 
> Lots of web users use FTP to upload files.  FTP has a chmod command; it
> does not have commands to alter SELinux labels

Yes, that is a problem.  Ideally we would get such support added.
Having SELinux support in the kernel and a few core utilities is only
the beginning - I'd like to see support for SELinux throughout all the
Linux tools, and for it to become as standard a part of Linux security
as the normal DAC is.  With the default targeted policy I think we're on
the right path.

Attachment: signature.asc
Description: This is a digitally signed message part


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]