Should file permissions match SELinux policy?

Dax Kelson dax at
Mon Jul 11 21:35:41 UTC 2005

I was porting some DNS courseware lab exercises to RHEL4 and FC3/4 and
the following came up.

In the file:


There exists policy so that only "named" can read named configuration

# A type for configuration files of named.
type named_conf_t, file_type, sysadmfile;


#read configuration files
r_dir_file(named_t, named_conf_t)

This is fine and works.  The question comes then that the standard file
owner and group and permission are more open (and have been

-rw-r--r--  1 root root 1323 Aug 25  2004 /etc/named.conf

Should the owner and group and permissions be made to match up with the
SELinux policy? ie:

chgrp named /etc/named.conf
chmod   640 /etc/named.conf


-rw-r-----  1 root named 1323 Aug 25  2004 /etc/named.conf

How about this same question at a more general level.

What is the current practice regarding syncing up and matching SELinux
policy with the file owner/group and permissions?

Is there a current defined practice? If not, should there be? :)

Dax Kelson
Guru Labs

More information about the fedora-selinux-list mailing list