Forward looking to FC2 final and SELinux
Daniel J Walsh
dwalsh at redhat.com
Thu Apr 8 18:55:26 UTC 2004
Jeremy Katz wrote:
>On Thu, 2004-04-08 at 03:46 -0300, Alexandre Oliva wrote:
>
>
>>On Apr 7, 2004, Matias Feliciano <feliciano.matias at free.fr> wrote:
>>
>>
>>>Le mar 06/04/2004 à 20:59, Jesse Keating a écrit :
>>>
>>>
>>>>[...]
>>>>The option for SELinux should continue to be exposed during the install
>>>>(and kickstarts), but default to off.
>>>>
>>>>
>>>+1
>>>
>>>
>>How would you feel about permissive mode instead of disabled as the
>>default?
>>
>>
>
>One problem with this is that if you're running in permissive mode, then
>domain transitions which were expected to occur may not (because you
>would have been denied to do something first if you were running in
>enforcing mode). This makes switching from permissive to enforcing an
>operation that requires the (imho) broken relabeling of your entire fs.
>
>So I'm not convinced that permissive by default actually buys us
>anything.
>
>Jeremy
>
>
There are also several applications that will exit out if one of the set
context calls fails. They don't currently check
security_getenforce(). Vixie Cron for example, Although I am fixing it now.
Dan
>
>
>
More information about the fedora-devel-list
mailing list