[CentOS] reinventing the wheel? page checker

Les Mikesell lesmikesell at gmail.com
Fri Jun 22 18:40:36 UTC 2012


On Fri, Jun 22, 2012 at 1:28 PM, Bob Hoffman <bob at bobhoffman.com> wrote:
>>
> It seems that to run the webservers selinux wants me to allow a ton of
> privledges to apache, the ftp user, and a bunch of
> other things...seems like that defeats the purpose. And a script
> injection will have all those privledges.

No, selinux doesn't give 'extra' privileges to anything.  It adds
extra restrictions based on the context of the processes and the
files/directories besides the ones based on uid/gid.

> I wish I had to time and knowledge to implement it...and add it to my
> handbook, but on a webserver that
> is doing mail ins, mail outs, httpd, mysql, php, self made scripts,
> fail2ban, and host of other programs
> it seems like it requires an experienced hand at it. Or a book.

Yes, it has taken years to get just the standard distributed packages
configured correctly - and that's probably with expert advice
available to the packagers...  You can't just drop it in on top of
stuff that has evolved organically for years.

-- 
  Les Mikesell
    lesmikesell at gmail.com



More information about the CentOS mailing list