On Fri, Jun 22, 2012 at 1:28 PM, Bob Hoffman <bob@xxxxxxxxxxxxxx> wrote:
>>
> It seems that to run the webservers selinux wants me to allow a ton of
> privledges to apache, the ftp user, and a bunch of
> other things...seems like that defeats the purpose. And a script
> injection will have all those privledges.
No, selinux doesn't give 'extra' privileges to anything. It adds
extra restrictions based on the context of the processes and the
files/directories besides the ones based on uid/gid.
> I wish I had to time and knowledge to implement it...and add it to my
> handbook, but on a webserver that
> is doing mail ins, mail outs, httpd, mysql, php, self made scripts,
> fail2ban, and host of other programs
> it seems like it requires an experienced hand at it. Or a book.
Yes, it has taken years to get just the standard distributed packages
configured correctly - and that's probably with expert advice
available to the packagers... You can't just drop it in on top of
stuff that has evolved organically for years.
--
Les Mikesell
lesmikesell@xxxxxxxxx
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
