On Thu, 2004-10-07 at 09:25 -0500, Chris Adams wrote: > Once upon a time, Stephen Smalley <sds epoch ncsc mil> said: > > > The goal of the default selinux policy is to be invisible unless you're > > > an exploit. Seems like it's not ;( > > > > Teaching users to use restorecon in the same manner as chmod/chown if > > they want to export data to one of the confined services like apache is > > not an undue burden. > > Lots of web users use FTP to upload files. FTP has a chmod command; it > does not have commands to alter SELinux labels Yes, that is a problem. Ideally we would get such support added. Having SELinux support in the kernel and a few core utilities is only the beginning - I'd like to see support for SELinux throughout all the Linux tools, and for it to become as standard a part of Linux security as the normal DAC is. With the default targeted policy I think we're on the right path.
Description: This is a digitally signed message part