senlinux configuration, are you sure it's the right way?
Farkas Levente
lfarkas at bppiac.hu
Thu Mar 31 15:59:37 UTC 2005
hi,
after i having played a few days with selinux, apache and other daemons
and programs the whole selinux configuration seems to me a bit
confusing. if i found any kind of problem with the "default" selinux
setup which is not big thing since most systems are different and there
are a lots of program which are not included in the core distro. i have
to report it and the next update will include it. my question why
selinux include the default policies? why selinux-policy-* contains the
right acces rights for all included deamons, programs? wouldn't it be
much better to all package include it's own policy and in the rpm
postinstall session reload/add/modify the new policies. this is
something similar to the libs. i only install only those lib which
needed for me and at the postinstall session run an ldconfig. i wouldn't
like to install all libs! why should i install policies for eg. apache
when i don't run apache? why should i update selinux-policy-* just
because there was a bug in the apache part of the policy when i don't
run apache? the current case is something one big monolitic policy
configuration which most of the time not suitable for anyone (anyone who
run anything else then the default need to modify it or run any
webscript or). of course my main problem not with apache policies rather
then the whole system and way of configuration of selinux. wouldn't be
any easier and modularized way to use selinux and configure it for the
needed thing. probably there is need for some core policy but all others
policy can be modularized. or do i missed something?
just my 2c.
yours.
--
Levente "Si vis pacem para bellum!"
More information about the fedora-selinux-list
mailing list