On Mon, 11 Jul 2005 15:35:41 MDT, Dax Kelson said: > Should the owner and group and permissions be made to match up with the > SELinux policy? ie: > > chgrp named /etc/named.conf > chmod 640 /etc/named.conf No. First off, there's the distinction between strict and targeted policy - if you *really* wanted to mirror that, strict should have chmod 640, but targeted should have chmod 644 (because Joe User running in unconfined_t will be allowed to 'more /etc/named.conf'). Secondly, you want to keep the Unix permissions/owners consistent with systems that *don't* run SELinux. Otherwise, you *will* go nuts trying to troubleshoot a permissions problem as systems get divergent settings on them. Of course, if 'chmod 640 /etc/named.conf' makes sense *even on a non-SELinux* system (are there any sensitive passwords/etc in there? I don't remember BIND having any such, but...) then by all means the change should be made...
Attachment:
pgp4PDYoW2dmm.pgp
Description: PGP signature
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list
