On Thu, 2004-10-07 at 03:20, Arjan van de Ven wrote: > On Thu, 2004-10-07 at 01:24, Nathan Grennan wrote: > > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=127900 > > > I don't think it is reasonable to have to relabel > > every time a file is moved around to work around possible problems with > > SELinux. > > sounds like apache should automatically relabel or something on start. Consider the parallel for DAC: would you recommend having apache run chown/chmod -R on /var/www on every start? Not a good idea for relabeling either. > The goal of the default selinux policy is to be invisible unless you're > an exploit. Seems like it's not ;( Teaching users to use restorecon in the same manner as chmod/chown if they want to export data to one of the confined services like apache is not an undue burden. Note that SELinux isn't preventing the user from doing what he wants; it is just preventing a confined service (apache) from accessing a file whose protections indicate that it shouldn't be accessible. No different than the user moving a file there without applying chown/chmod appropriately. -- Stephen Smalley <sds@xxxxxxxxxxxxxx> National Security Agency
