On Thu, Jul 25, 2013 at 8:39 PM, Reindl Harald <h.reindl@xxxxxxxxxxxxx> wrote: > > > Am 25.07.2013 20:31, schrieb drago01: >> On Thu, Jul 25, 2013 at 6:36 PM, Reindl Harald <h.reindl@xxxxxxxxxxxxx> wrote: >>> Am 25.07.2013 17:57, schrieb drago01: >>>>> in theory yes >>>>> >>>>> practically a exploit is not that easy like fire >>>>> a bundle of commands as root like a script >>>>> >>>>>> So we're talking about limited circumstances where >>>>>> the attacker can modify files and not execute code, or where the >>>>>> attacker is root but not CAP_SYS_ADMIN (or whatever it is) >>>>> >>>>> a httpd running with SElinux disabled or in permissive mode with >>>> >>>> Here is your problem ... How about running it in enforcing mode? I mean you care ab out security and disable >>>> security features at the same time. If there are selinux bugs file and/or fix them >>> >>> if you are able to marry pure-ftpd, samba and 250 cms-installations predictable >>> on a machine running also *self developed* managment-software for a complete >>> infrastructure on 20 Fedora servers with SElinux go ahead :-) >> >> You missed the "and/or fix and file bugs" part > > you missed the *self developed* managment-software No I did not. The selinux policy is supposed to work fine for them as well. You can even amend the policy for your specific needs. >> It does not work so lets disable it and add hacks to get the same >> functionality back is bad practice. > > no, using as much as possible security options without > damage the operational work is the one and only practice > if it comes to *business* and a lot of people living > from 365/24/7 up services with no "permissions denied" > where it is not intented > >> If it does not work we should fix it > > *you* can *not* fix anything in packages Sure I can done that countless times in the past or IOW no idea what that is supposed to mean. > in my case these are over more than 10 years grown environments Irrelevant. > responsible for over 600 domains which was migrated from MacOSX > to Fedora years ago, Irrelevant. > there are a *lot* of packages involved which > are not existing for Fedora in the public There might still be bugs in them (and/or in the selinux-policy package). Being more specific would be way more productive. Like "my app tries to do X but fails with the following message". You don't have to run enforcing straight out. You can start with permissive, fix the bugs / your configuration and once you have done that switch to enforcing. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
