Should file permissions match SELinux policy?
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Tue Jul 12 16:04:33 UTC 2005
On Mon, 11 Jul 2005 15:35:41 MDT, Dax Kelson said:
> Should the owner and group and permissions be made to match up with the
> SELinux policy? ie:
>
> chgrp named /etc/named.conf
> chmod 640 /etc/named.conf
No.
First off, there's the distinction between strict and targeted policy - if
you *really* wanted to mirror that, strict should have chmod 640, but targeted
should have chmod 644 (because Joe User running in unconfined_t will be allowed
to 'more /etc/named.conf').
Secondly, you want to keep the Unix permissions/owners consistent with systems
that *don't* run SELinux. Otherwise, you *will* go nuts trying to troubleshoot
a permissions problem as systems get divergent settings on them.
Of course, if 'chmod 640 /etc/named.conf' makes sense *even on a non-SELinux*
system (are there any sensitive passwords/etc in there? I don't remember BIND
having any such, but...) then by all means the change should be made...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20050712/4b2b9bef/attachment.sig>
More information about the fedora-selinux-list
mailing list