Re: Should file permissions match SELinux policy?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 11 Jul 2005 15:35:41 MDT, Dax Kelson said:

> Should the owner and group and permissions be made to match up with the
> SELinux policy? ie:
> 
> chgrp named /etc/named.conf
> chmod   640 /etc/named.conf

No.

First off, there's the distinction between strict and targeted policy - if
you *really* wanted to mirror that, strict should have chmod 640, but targeted
should have chmod 644 (because Joe User running in unconfined_t will be allowed
to 'more /etc/named.conf').

Secondly, you want to keep the Unix permissions/owners consistent with systems
that *don't* run SELinux.  Otherwise, you *will* go nuts trying to troubleshoot
a permissions problem as systems get divergent settings on them.

Of course, if 'chmod 640 /etc/named.conf' makes sense *even on a non-SELinux*
system (are there any sensitive passwords/etc in there? I don't remember BIND
having any such, but...) then by all means the change should be made...

Attachment: pgp4PDYoW2dmm.pgp
Description: PGP signature

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux