[CentOS] reinventing the wheel? page checker
Les Mikesell
lesmikesell at gmail.com
Fri Jun 22 18:40:36 UTC 2012
On Fri, Jun 22, 2012 at 1:28 PM, Bob Hoffman <bob at bobhoffman.com> wrote:
>>
> It seems that to run the webservers selinux wants me to allow a ton of
> privledges to apache, the ftp user, and a bunch of
> other things...seems like that defeats the purpose. And a script
> injection will have all those privledges.
No, selinux doesn't give 'extra' privileges to anything. It adds
extra restrictions based on the context of the processes and the
files/directories besides the ones based on uid/gid.
> I wish I had to time and knowledge to implement it...and add it to my
> handbook, but on a webserver that
> is doing mail ins, mail outs, httpd, mysql, php, self made scripts,
> fail2ban, and host of other programs
> it seems like it requires an experienced hand at it. Or a book.
Yes, it has taken years to get just the standard distributed packages
configured correctly - and that's probably with expert advice
available to the packagers... You can't just drop it in on top of
stuff that has evolved organically for years.
--
Les Mikesell
lesmikesell at gmail.com
More information about the CentOS
mailing list