-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wed, 26 Sep 2007 21:28:58 -0400
Jesse Keating <jkeating@xxxxxxxxxx> wrote:
> On Wed, 26 Sep 2007 21:17:39 -0400
> Steve Grubb <sgrubb@xxxxxxxxxx> wrote:
>
> > AFAIK, selinux only knows about a couple servers, like apache,
> > having data in /srv. If SE Linux is going to protect the data, a
> > standard mapping between /srv and /var for everything should be
> > worked out so that policy can be adapted.
>
> Therein lies the problem. /srv/ is open ground for sysadmins to use,
And /var/ isn't "open ground"? Perhaps it shouldn't be, but the reality of things today is that it's a jumbled, cluttered mess. Sure, we've been using it this way for decades and are familiar with it. The /srv/ directory is quite new by comparison. As others have pointed out in this thread, a good number of real world sysadmins move things like web and ftp out of /var/ and/or create separate partitions/volumes to hold such content.
The /var/ directory has been the catch-all location whenever people didn't know where a more appropriate location could be found for something. It's ugly and just because that's the way things have been forever doesn't mean it has to stay that way.
The /srv/ directory is a good solution for two primary reasons:
1. Backups; just deal with /etc/ and /srv/ (and perhaps /home/ depending on the role of the box) if there's nothing left in /var/ that is non transitory. Things like the RPM DB should be in /var/ and shouldn't be backed up.
2. Organization. The data your services are serving up is under /srv/, their configs are in /etc/ and you don't have to think about where to find stuff.
> we can't prepopulate it with anything,
Why not? I have yet to see a single, viable argument on this list to explain why having /srv/web/ or /srv/ftp/ can't work as a starting point for a distribution nor for Fedora. Don't get me wrong, there have been a few ideas put forth, but so far, none of them have held water.
> and we can't assume what the
> local admin will use for a scheme. /srv/<site>/{web,ftp,backup}
> or /srv/{web,ftp,backup}/<site> or some other combo.
What does it matter? If someone is going to change /var/www/ and /var/ftp/ and others to a per-site organization, they're already doing something different from what is default on any UNIX or UNIX-like OS that I know of.
Besides, SELinux won't care. You simply assign the right types to the per-site www/, ftp/, etc. directories and it will just work. Yes, I know, the parent directory structure will still have to allow those services to get there, too; again, if someone is reorganizing "against-the-grain," then they'll have to deal with that either way.
- --
Lamont Peterson <lamont@xxxxxxxxxxxx>
Senior Instructor
Guru Labs, L.C. [ http://www.GuruLabs.com/ ]
NOTE: All messages from this email address should be digitally signed with my
0xDC0DD409 GPG key. It is available on the pgp.mit.edu keyserver as
well as other keyservers that sync with MIT's.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
iD8DBQFG+yNL+YBsl9wN1AkRAtGqAKChSeBO6PsOEX+slAxdaQPJINKn/gCgoVlm
8mmvYiUMbk8+AQ6pj0xnvt4=
=Ph3L
-----END PGP SIGNATURE-----
--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
