[CentOS] SELinux - way of the future or good idea but !!!

Christopher Chan christopher.chan at bradbury.edu.hk
Sun Nov 28 23:12:34 UTC 2010

On Sunday, November 28, 2010 10:50 PM, Scott Robbins wrote:
> On Sun, Nov 28, 2010 at 09:14:43PM +0800, Christopher Chan wrote:
>>> I think it is easier/cheaper to use hardware firewalls and idp systems
>>> to protect servers than fight with selinux on each server.
>>> SELinux tuning might work on companies with unlimited resources like
>>> NSA .. or if you run server at home with unlimited free time to tune
>>> it up.
>> Are you some secret agent for botnets? I know they love to get their
>> hands on Linux boxes for use as their command centres for their Windows
>> drones.
> Sigh.  I don't think people have the right (or ability) to
> judge another person's situation.
> So....
> Judging from this, every AIX, Solaris, and BSD administrator are botnet
> agents.  As well as Debian server farms.

If they are die-hard don't lock down because it's too troublesome chaps 
then yeah!

Two other schools got their box hacked through phpmyadmin because the 
chap at HQ failed to locked down. I had to show him how to turn on 
SELinux and also figure out from the logs how the bot was uploaded.

I had never done SELinux before that but I got it mostly sorted within a 
morning and completely sorted in two days for some stuff that did not 
initially show up. This was a Moodle box with a mysql backend.

I, therefore, cannot see any excuse for disabling SELinux.

More information about the CentOS mailing list