On Fri, Jul 31, 2009 at 12:35 PM, Boris Epsteinborepstein@gmail.com wrote:
I found an even simplier solution - disabled SELinux. I've got a firewall and that is plenty.
No. It's really not. If someone exploits apache, or php, they'll be coming in via port 80 or 443 which your firewall has helpfully allowed so that you can run your server. The vast majority of successful penetrations I've seen are of two types. Brute ssh attacks, and apache/php exloits. If you were running mod_security, that might be slightly more analogous to selinux. I really don't recommend that people disable selinux simply because they can't be bothered to learn it.
Real world reasons for selinux on web servers -> http://www.linuxjournal.com/article/9176