[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: SELinux should be off by default in FC3



On Thu, 2004-10-07 at 08:41 -0700, Nathan Grennan wrote:

> I think this is asking too much, especially when the complexity level is
> such that users won't generally be manually setting security context,
> but letting the system figure out the correct context for them via
> restorecon. That says to me it is more of a automation problem than it
> is a education problem.

No.  As I said in my other mail, particularly in the Apache case, either
the user needs to be aware of them, or you need much higher-level
domain-specific tools built that handle it automatically.

The Apache policy is somewhat special in that it defines new types that
users are allowed to change to and from; typically, users are not
allowed to relabel files.  Generally SELinux is otherwise transparent -
when you create a file in your home directory it automatically gets the
type user_home_t.  

However, as we move towards finer-grained controls on user applications
like Mozilla, users will have to become more generally aware of security
contexts and how to change them.

Attachment: signature.asc
Description: This is a digitally signed message part


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]