On Fri, Jul 31, 2009 at 12:50 PM, Jim Perrin<jperrin at gmail.com> wrote: > On Fri, Jul 31, 2009 at 12:35 PM, Boris Epstein<borepstein at gmail.com> wrote: > >> I found an even simplier solution - disabled SELinux. I've got a >> firewall and that is plenty. > > No. It's really not. If someone exploits apache, or php, they'll be > coming in via port 80 or 443 which your firewall has helpfully allowed > so that you can run your server. The vast majority of successful > penetrations I've seen are of two types. Brute ssh attacks, and > apache/php exloits. If you were running mod_security, that might be > slightly more analogous to selinux. I really don't recommend that > people disable selinux simply because they can't be bothered to learn > it. > > Real world reasons for selinux on web servers -> > http://www.linuxjournal.com/article/9176 > > > -- > During times of universal deceit, telling the truth becomes a revolutionary act. > George Orwell > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > I am running mod_security and also if the intruder gets to the shell level they will be able to bypass the SELinux entirely. I believe in security too but security should not be crippling. Boris.