[CentOS] Centos VPS Kernel 2.6.35.4 & 'string-less' IP tables

Thu Sep 1 05:50:27 UTC 2011
Ned Slider <ned at unixmail.co.uk>

On 01/09/11 00:28, Always Learning wrote:
>
> On Wed, 2011-08-31 at 16:11 -0700, Craig White wrote:
>> More to the point, he disables SELinux and then spends hours trying to
>> improve security.
>
> Tell the world the ENTIRE story.
>
> Disabled it because things would not run. Said publicly in the last 7
> days will find time to learn about Selinux and the details of the file
> description blocks which SElinux appear to use.
>
> I am trying to filter-out some web page access attepts in IP Tables.
> When will you accept that has nothing to do with Selinux ?
>

It has EVERYTHING to do with SELinux because SELinux is designed to 
mitigate those security risks you are trying to prevent reaching httpd 
with IPTables as well as those you do not even know about yet.

Security is not a product. It's not about one component. It's a process. 
The best security uses layers of defence, of which IPtables is just one 
layer. SELinux is another layer. Use the right tools for the job. Better 
still, use ALL of the tools available to you rather than concentrating 
all your time on one tool whilst leaving every other door wide open.

Even if you can't fix it, turn ON SELinux and put it in permissive mode. 
It will allow shit to happen, but at least then it will WARN you that 
shit is happening. Better still, just fix the issues.