Another selinux rant
Ed Swierk
eswierk at arastra.com
Fri Jan 4 16:40:55 UTC 2008
On 1/4/08, Tomasz Torcz <tomek at crocom.com.pl> wrote:
> tar with "--xattrs"?
No, I didn't realize --xattrs existed; the tar info page doesn't
mention it. Oh, there it is in the man page.
Is there some reason why storing extended attributes by default would
be undesirable? I normally expect tar to carry all relevant metadata
with it; that's sort of the point of using tar.
> SELinux don't care about file location. It cares about labels. Policy
> for *labeling* files and assorted utilities care for paths, but they are
> only additional utilities, not SELinux itself..
> In your situation, ipp.txt must be writable by openvpn daemon. You can
> achieve it by labeling (man chcon) ipp.txt as openvpn_var_log_t. By
> default files in /etc/openvpn are labeled as openvpn_etc_t (openvpn's
> configuration files). Daemons cannot modify their configuration files.
I see. I now notice ls has a -Z option that shows the SELinux security context.
It would be nice if ls -l would show the security context by default
when SELinux is enabled, as the context is apparently just as
important as file permissions.
People who already know about SELinux can of course just learn to type
ls -l --lcontext, but showing the extra information by default would
at least give clueless users like me a hint that files have these
extra attributes that might somehow be relevant to those strange
openvpn failures. IMHO this would be the single best usability
improvement to SELinux (despite the fact that it makes the output too
wide for an 80-column display).
--Ed
More information about the fedora-devel-list
mailing list