-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Marko Vojinovic wrote: > On Monday 15 October 2007 19:24, Daniel J Walsh wrote: >> Marko Vojinovic wrote: >>> I am a newbie to SELinux, so would prefer not to create local policies >>> etc. What should I do in order to allow access for a typical service to >>> typical directory? >> You need to change the labeling on /www >> >> Probably something like >> >> # semanage fcontext -a -t httpd_sys_content_t '/www(/.*)?' >> # restorecon -R -v /www >> >> In order to allow httpd to read content in home directories >> you need to turn on httpd_enable_homedirs >> >> setsebool -P httpd_enable_homedirs 1 > > Thanks! This works great! :-) > > I was amazed to see the wealth of switches listed by getsebool -a once I found > out about it. Also when I discovered that your answer was actually in > examples section of man semanage :-) ... > > I am going to like SELinux once I get familiar with the ways to configure it. > > Btw, what is the actual difference between targeted and strict policies? Why > are there two of them? I mean, if someone uses SELinux to make the system > more secure, why is there a distinction between "more secure" and "half more > secure"? > > Thanks for the help! :-) > > Best regards, :-) > Marko > > Marko Vojinovic > Institute of Physics > University of Belgrade > ====================== > e-mail: vmarko@xxxxxxxxxxxx > The main different between strict and targeted in F6 and beyond and RHEL5 is that strict confines userspace while targeted only confined system space. As of Fedora 8 strict policy no longer exists. You can combine unconfined users with confined user (xguest, guest). This allows you to have some thoroughly locked down users while running the trusted users as full capability. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHFhfBrlYvE4MpobMRAsG0AKC8qj3AoXjrxubHJasVCGS++PuKfACfU6pF ytHzMbSaZfZScXAdVzqDE6Q= =B1Qn -----END PGP SIGNATURE----- -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list