>
>
> On Tue, 2005-05-24 at 08:08, Micha Silver wrote:
> > >
> > > The best thing to do is add this to /etc/selinux/config
> > >
> > > SELINUX=disabled
> > >
> > > And then get on with the real jobs....
> > >
> >
> > Listening to all the pros and cons of SELinux.
> > I'd like to improve the security of our regional web server
> using SELinux.
> > We have a main regional web site and several virtual
> domains, kept up by
> > private users, all on the same server. Some of the private
> users want to run
> > php and database apps on their websites. Up till now I
> steered away from
> > allowing users to run anything on their sites, since a
> breakin to any
> > private virtual domain would endanger the whole http
> process, including the
> > main regional site. I'm preparing to switch over to a new (CentOS 4)
> > machine, and I thought to set up a different SELinux
> context for each
> > virtual domain, so that a vulnerability in someones private
> web site would
> > be isolated and not be able to crash the other domains.
> > Is this achievable *without* SELinux??
>
> The simple-minded way has always been to run a separate http
> instance bound to a different port or IP address, running as
> a different user. If you only have one IP address and need
> to appear to be on port 80, you can arrange this with a
> virtualhost on the main server that uses proxypass or a
> rewriterule that results in a proxy connection to the server
> running under the other uid.
>
Thanks Les,
With several virtual domains, setting each up on a separate port with
rewrite rules, and running several httpd processes under different UIDs
would quickly become not so "simple-minded"
Regards,
Micha
> ---
> Les Mikesell
> lesmikesell@xxxxxxxxx
>
>
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos
>
