[CentOS] reinventing the wheel? page checker

Fri Jun 22 18:40:36 UTC 2012
Les Mikesell <lesmikesell at gmail.com>

On Fri, Jun 22, 2012 at 1:28 PM, Bob Hoffman <bob at bobhoffman.com> wrote:
> It seems that to run the webservers selinux wants me to allow a ton of
> privledges to apache, the ftp user, and a bunch of
> other things...seems like that defeats the purpose. And a script
> injection will have all those privledges.

No, selinux doesn't give 'extra' privileges to anything.  It adds
extra restrictions based on the context of the processes and the
files/directories besides the ones based on uid/gid.

> I wish I had to time and knowledge to implement it...and add it to my
> handbook, but on a webserver that
> is doing mail ins, mail outs, httpd, mysql, php, self made scripts,
> fail2ban, and host of other programs
> it seems like it requires an experienced hand at it. Or a book.

Yes, it has taken years to get just the standard distributed packages
configured correctly - and that's probably with expert advice
available to the packagers...  You can't just drop it in on top of
stuff that has evolved organically for years.

  Les Mikesell
    lesmikesell at gmail.com