Should file permissions match SELinux policy?
dax at gurulabs.com
Mon Jul 11 21:35:41 UTC 2005
I was porting some DNS courseware lab exercises to RHEL4 and FC3/4 and
the following came up.
In the file:
There exists policy so that only "named" can read named configuration
# A type for configuration files of named.
type named_conf_t, file_type, sysadmfile;
#read configuration files
This is fine and works. The question comes then that the standard file
owner and group and permission are more open (and have been
-rw-r--r-- 1 root root 1323 Aug 25 2004 /etc/named.conf
Should the owner and group and permissions be made to match up with the
SELinux policy? ie:
chgrp named /etc/named.conf
chmod 640 /etc/named.conf
-rw-r----- 1 root named 1323 Aug 25 2004 /etc/named.conf
How about this same question at a more general level.
What is the current practice regarding syncing up and matching SELinux
policy with the file owner/group and permissions?
Is there a current defined practice? If not, should there be? :)
More information about the fedora-selinux-list