On Fri, Jun 22, 2012 at 1:28 PM, Bob Hoffman <bob at bobhoffman.com> wrote: >> > It seems that to run the webservers selinux wants me to allow a ton of > privledges to apache, the ftp user, and a bunch of > other things...seems like that defeats the purpose. And a script > injection will have all those privledges. No, selinux doesn't give 'extra' privileges to anything. It adds extra restrictions based on the context of the processes and the files/directories besides the ones based on uid/gid. > I wish I had to time and knowledge to implement it...and add it to my > handbook, but on a webserver that > is doing mail ins, mail outs, httpd, mysql, php, self made scripts, > fail2ban, and host of other programs > it seems like it requires an experienced hand at it. Or a book. Yes, it has taken years to get just the standard distributed packages configured correctly - and that's probably with expert advice available to the packagers... You can't just drop it in on top of stuff that has evolved organically for years. -- Les Mikesell lesmikesell at gmail.com