On Fri, Jun 22, 2012 at 1:28 PM, Bob Hoffman bob@bobhoffman.com wrote:
It seems that to run the webservers selinux wants me to allow a ton of privledges to apache, the ftp user, and a bunch of other things...seems like that defeats the purpose. And a script injection will have all those privledges.
No, selinux doesn't give 'extra' privileges to anything. It adds extra restrictions based on the context of the processes and the files/directories besides the ones based on uid/gid.
I wish I had to time and knowledge to implement it...and add it to my handbook, but on a webserver that is doing mail ins, mail outs, httpd, mysql, php, self made scripts, fail2ban, and host of other programs it seems like it requires an experienced hand at it. Or a book.
Yes, it has taken years to get just the standard distributed packages configured correctly - and that's probably with expert advice available to the packagers... You can't just drop it in on top of stuff that has evolved organically for years.