On Tue, 2005-05-24 at 08:08, Micha Silver wrote:
> >
> > The best thing to do is add this to /etc/selinux/config
> >
> > SELINUX=disabled
> >
> > And then get on with the real jobs....
> >
>
> Listening to all the pros and cons of SELinux.
> I'd like to improve the security of our regional web server using SELinux.
> We have a main regional web site and several virtual domains, kept up by
> private users, all on the same server. Some of the private users want to run
> php and database apps on their websites. Up till now I steered away from
> allowing users to run anything on their sites, since a breakin to any
> private virtual domain would endanger the whole http process, including the
> main regional site. I'm preparing to switch over to a new (CentOS 4)
> machine, and I thought to set up a different SELinux context for each
> virtual domain, so that a vulnerability in someones private web site would
> be isolated and not be able to crash the other domains.
> Is this achievable *without* SELinux??
The simple-minded way has always been to run a separate http
instance bound to a different port or IP address, running
as a different user. If you only have one IP address and
need to appear to be on port 80, you can arrange this with
a virtualhost on the main server that uses proxypass or
a rewriterule that results in a proxy connection to the
server running under the other uid.
---
Les Mikesell
lesmikesell@xxxxxxxxx
