[CentOS] Apache not liking directories outside of /var/www

Fri Jul 31 17:50:47 UTC 2009
Kenneth Porter <shiva at sewingwitch.com>

--On Friday, July 31, 2009 2:07 PM -0400 Boris Epstein 
<borepstein at gmail.com> wrote:

> I am running mod_security and also if the intruder gets to the shell
> level they will be able to bypass the SELinux entirely.

How? The selinux commands require root access. First you'd have to get a 
root escalation exploit to promote from user apache to root, and then 
disable selinux. The exploit in the linked article is stopped because it 
can't run the escalation program which was downloaded to /tmp.

> I believe in security too but security should not be crippling.

Do you also disable iptables, because a firewall is too complicated to 
configure just to run an IP service?

SELinux is just another kind of firewall, but one between 
user/process/resource triplets. As with a good network firewall, it denies 
all by default and one selectively allows the triplets that make sense for 
one's application.