On 01/09/11 00:28, Always Learning wrote:
>
> On Wed, 2011-08-31 at 16:11 -0700, Craig White wrote:
>> More to the point, he disables SELinux and then spends hours trying to
>> improve security.
>
> Tell the world the ENTIRE story.
>
> Disabled it because things would not run. Said publicly in the last 7
> days will find time to learn about Selinux and the details of the file
> description blocks which SElinux appear to use.
>
> I am trying to filter-out some web page access attepts in IP Tables.
> When will you accept that has nothing to do with Selinux ?
>
It has EVERYTHING to do with SELinux because SELinux is designed to
mitigate those security risks you are trying to prevent reaching httpd
with IPTables as well as those you do not even know about yet.
Security is not a product. It's not about one component. It's a process.
The best security uses layers of defence, of which IPtables is just one
layer. SELinux is another layer. Use the right tools for the job. Better
still, use ALL of the tools available to you rather than concentrating
all your time on one tool whilst leaving every other door wide open.
Even if you can't fix it, turn ON SELinux and put it in permissive mode.
It will allow shit to happen, but at least then it will WARN you that
shit is happening. Better still, just fix the issues.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
