On Sun, 2010-03-07 at 19:44 -0700, James McKenzie wrote: > SELinux should work with web servers in non-secure and secure modes. It > should work with Tomcat publishing dynamic pages as well. > > Its part having the right tools for the job Martin. > > The problem when it was first released for Fedora was that it used a cookie-cutter approach: telling it that you used Apache merely OK'ed that within /var/www - IMO a silly place to put web pages as the /var structure is one that you're almost certainly going to blitz as part of a clean install and probably not bother to back up. The SEL config tool had no method for saying that any ocurrences of /home/*/public_html were also OK for Apache to serve from. I'd disabled it by the time I started to use Postgres, but its a safe bet the same problem would occur because the Fedora default puts the Postgres files and database in /var/postgresql while I run it from /home/postgres for the reasons given in my last post. > And the added security should not be a security blanket either. SELinux > is just another level of host based security. > Yep. I don't accept incoming net connections. I get my mail with getmail and run it through Spamassassin before it gets passed to Postfix for distribution. No Clamav at present because I have no Wine apps that know what mail is and most probably never will either. chkrootkit gets run weekly - possibly daily would be better. Martin
