SELinux should be off by default in FC3
Colin Walters
walters at redhat.com
Thu Oct 7 16:06:15 UTC 2004
On Thu, 2004-10-07 at 08:41 -0700, Nathan Grennan wrote:
> I think this is asking too much, especially when the complexity level is
> such that users won't generally be manually setting security context,
> but letting the system figure out the correct context for them via
> restorecon. That says to me it is more of a automation problem than it
> is a education problem.
No. As I said in my other mail, particularly in the Apache case, either
the user needs to be aware of them, or you need much higher-level
domain-specific tools built that handle it automatically.
The Apache policy is somewhat special in that it defines new types that
users are allowed to change to and from; typically, users are not
allowed to relabel files. Generally SELinux is otherwise transparent -
when you create a file in your home directory it automatically gets the
type user_home_t.
However, as we move towards finer-grained controls on user applications
like Mozilla, users will have to become more generally aware of security
contexts and how to change them.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20041007/42fe0ffe/attachment.sig>
More information about the fedora-devel-list
mailing list