[CentOS] SELinux - way of the future or good idea but !!!

Christopher Chan christopher.chan at bradbury.edu.hk
Sun Nov 28 18:12:34 EST 2010


On Sunday, November 28, 2010 10:50 PM, Scott Robbins wrote:
> On Sun, Nov 28, 2010 at 09:14:43PM +0800, Christopher Chan wrote:
>
>>>
>>> I think it is easier/cheaper to use hardware firewalls and idp systems
>>> to protect servers than fight with selinux on each server.
>>>
>>> SELinux tuning might work on companies with unlimited resources like
>>> NSA .. or if you run server at home with unlimited free time to tune
>>> it up.
>>>
>>
>> Are you some secret agent for botnets? I know they love to get their
>> hands on Linux boxes for use as their command centres for their Windows
>> drones.
>
> Sigh.  I don't think people have the right (or ability) to
> judge another person's situation.
>
> So....
>
> Judging from this, every AIX, Solaris, and BSD administrator are botnet
> agents.  As well as Debian server farms.
>

If they are die-hard don't lock down because it's too troublesome chaps 
then yeah!

Two other schools got their box hacked through phpmyadmin because the 
chap at HQ failed to locked down. I had to show him how to turn on 
SELinux and also figure out from the logs how the bot was uploaded.

I had never done SELinux before that but I got it mostly sorted within a 
morning and completely sorted in two days for some stuff that did not 
initially show up. This was a Moodle box with a mysql backend.

I, therefore, cannot see any excuse for disabling SELinux.


More information about the CentOS mailing list