--On Friday, July 31, 2009 2:07 PM -0400 Boris Epstein borepstein@gmail.com wrote:
I am running mod_security and also if the intruder gets to the shell level they will be able to bypass the SELinux entirely.
How? The selinux commands require root access. First you'd have to get a root escalation exploit to promote from user apache to root, and then disable selinux. The exploit in the linked article is stopped because it can't run the escalation program which was downloaded to /tmp.
I believe in security too but security should not be crippling.
Do you also disable iptables, because a firewall is too complicated to configure just to run an IP service?
SELinux is just another kind of firewall, but one between user/process/resource triplets. As with a good network firewall, it denies all by default and one selectively allows the triplets that make sense for one's application.