Stephen Smalley wrote:
On Fri, 2004-06-04 at 10:53, Daniel J Walsh wrote:
Todays selinux-polcy-* RPMS attempt to handle the /etc/selinux/config
and /etc/sysconfig/selinux files in the post install.
Please check them out.
Shouldn't it default to SELINUX=permissive in the absence of any
/etc/sysconfig/selinux file?
No, Well the only way this should happen is on a fresh install or a
disabled SELinux box. I don't like permissive because we end up with to
many false AVC Messages. A fresh install should put down proper context
and with targeted policy, enforcing should work out of the box. Also I
have a concern about people forgetting to change permissive to
enforcing, and having a false sence of security.
Do we need a dependency on the newer libselinux, policycoreutils, and
SysVinit that are aware of the new policy locations?
Probably. Any application that uses default contexts needs to use the
new library.
