Should file permissions match SELinux policy?

Valdis.Kletnieks at Valdis.Kletnieks at
Tue Jul 12 16:04:33 UTC 2005

On Mon, 11 Jul 2005 15:35:41 MDT, Dax Kelson said:

> Should the owner and group and permissions be made to match up with the
> SELinux policy? ie:
> chgrp named /etc/named.conf
> chmod   640 /etc/named.conf


First off, there's the distinction between strict and targeted policy - if
you *really* wanted to mirror that, strict should have chmod 640, but targeted
should have chmod 644 (because Joe User running in unconfined_t will be allowed
to 'more /etc/named.conf').

Secondly, you want to keep the Unix permissions/owners consistent with systems
that *don't* run SELinux.  Otherwise, you *will* go nuts trying to troubleshoot
a permissions problem as systems get divergent settings on them.

Of course, if 'chmod 640 /etc/named.conf' makes sense *even on a non-SELinux*
system (are there any sensitive passwords/etc in there? I don't remember BIND
having any such, but...) then by all means the change should be made...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <>

More information about the fedora-selinux-list mailing list