Should file permissions match SELinux policy?
Dax Kelson
dax at gurulabs.com
Mon Jul 11 21:35:41 UTC 2005
I was porting some DNS courseware lab exercises to RHEL4 and FC3/4 and
the following came up.
In the file:
/etc/selinux/targeted/src/policy/domains/program/named.te
There exists policy so that only "named" can read named configuration
files.
# A type for configuration files of named.
type named_conf_t, file_type, sysadmfile;
[snip]
#read configuration files
r_dir_file(named_t, named_conf_t)
This is fine and works. The question comes then that the standard file
owner and group and permission are more open (and have been
historically).
-rw-r--r-- 1 root root 1323 Aug 25 2004 /etc/named.conf
Should the owner and group and permissions be made to match up with the
SELinux policy? ie:
chgrp named /etc/named.conf
chmod 640 /etc/named.conf
ala
-rw-r----- 1 root named 1323 Aug 25 2004 /etc/named.conf
How about this same question at a more general level.
What is the current practice regarding syncing up and matching SELinux
policy with the file owner/group and permissions?
Is there a current defined practice? If not, should there be? :)
Dax Kelson
Guru Labs
More information about the fedora-selinux-list
mailing list