On Thu, Nov 11, 2004 at 05:03:36PM +0100, Thomas Vander Stichele wrote: > Hi, > > > > > > > - A lot of developers I know, including a bunch at Red Hat, *turn off > > > SELINUX entirely*. IMO, something that gets pushed at heavily as this > > > should be dogfooded by the development team at Red Hat completely, so > > > they encounter firsthand what it means and how to fix basic issues. > > > > FWIW I have three machines here, of which two have SELinux always on in > > enforcing mode, and the third sometimes on (dogfooding Rawhide here, so > > sometimes things break...). They're all using the targeted policy. > > Oh, I'm sure there are developers dogfooding it. My point is that *all* > of the Red Hat developers should be dogfooding it if you think SELINUX > should be the default (which I assume is being thought since it's the > default in anaconda). I dogfood it on all my test boxes. But the reality is that if you use a slightly non-default configuration for httpd or enable any of the "interesting" modules, or use any interesting PHP webapps, etc, then you are going to have to either write a shed-load of SELinux policy specific to your configuration, or you're going to disable the httpd target in s-c-securitylevel. That's just a fact of SELinux as far as I can tell. The conclusion I draw from this is, as I've said before, that it's not correct to have httpd covered by the SELinux policy *by default*. joe
