SELinux should be off by default in FC3

Colin Walters walters at redhat.com
Fri Oct 8 17:07:06 UTC 2004


On Fri, 2004-10-08 at 17:38 +0100, Joe Orton wrote:

> I'm just not convinced it's the right decision to apply SELinux policy
> to Apache *by default*.  New administrators have enough problems trying
> to configure stuff as it is, 

I agree, Apache is a very complex daemon, with a lot of configuration
possibilities.  That is a very good reason for applying SELinux policy,
since the policy prevents a misconfigured or compromised apache from
damaging your system.

> without placing this invisible tripwire in
> front of them.

When people get permission denials, they will likely know to look in
both /var/log/httpd/error_log; we just need to get people to know to
look in /var/log/messages as well.

> It won't endear people to FC3 as a good web server platform if the PHP,
> CGI scripts etc,

With a weakened Apache policy, these should generally require no
configuration.  But it will give less protection as well.

>  hell, even running httpd -t "just doesn't work" 

True.  But really, the syntax parsing should be a separate application.
If the policy allowed the regular daemon access to the system
administrator's terminal, then it could take over an existing root
shell.

> out of
> the box when it did in past releases.  They will go back to "chuck away
> the packaged stuff and build from sources"

That's bad advice.  First of all, if they really want, they can disable
enforcement just for Apache quite easily, as has been mentioned earlier.
Second of all, reinstalling from sources will not be a reliable means to
disable SELinux protection for Apache.  It might work because the new
binaries will inherit the generic sbin_t type, and so no transition will
occur.  But if the system is later relabeled, those files could be reset
to the httpd_exec_t type, and then the transition will happen again.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20041008/59c1b7f1/attachment.sig>


More information about the fedora-devel-list mailing list