senlinux configuration, are you sure it's the right way?

Farkas Levente lfarkas at
Thu Mar 31 15:59:37 UTC 2005

after i having played a few days with selinux, apache and other daemons 
and programs the whole selinux configuration seems to me a bit 
confusing. if i found any kind of problem with the "default" selinux 
setup which is not big thing since most systems are different and there 
are a lots of program which are not included in the core distro. i have 
to report it and the next update will include it. my question why 
selinux include the default policies? why selinux-policy-* contains the 
right acces rights for all included deamons, programs? wouldn't it be 
much better to all package include it's own policy and in the rpm 
postinstall session reload/add/modify the new policies. this is 
something similar to the libs. i only install only those lib which 
needed for me and at the postinstall session run an ldconfig. i wouldn't 
like to install all libs! why should i install policies for eg. apache 
when i don't run apache? why should i update selinux-policy-* just 
because there was a bug in the apache part of the policy when i don't 
run apache? the current case is something one big monolitic policy 
configuration which most of the time not suitable for anyone (anyone who 
run anything else then the default need to modify it or run any 
webscript or). of course my main problem not with apache policies rather 
then the whole system and way of configuration of selinux. wouldn't be 
any easier and modularized way to use selinux and configure it for the 
needed thing. probably there is need for some core policy but all others 
policy can be modularized. or do i missed something?
just my 2c.

   Levente                               "Si vis pacem para bellum!"

More information about the fedora-selinux-list mailing list