The biggest threat for a web server, is exploiting a vulnerability and gaining root access. How are you going to restrict access to files for root with standard permissions?
The ability to restrict not only what files but which commands a user can access, and what files a process can access is amazing. I agree you can shore up a server pretty tight with the standard tools, but SELinux just takes it that step further and if used correctly makes if far simpler to manage. I see the old way as micro managing, and its a lot easier to make mistakes when doing so. I see KISS used a lot to imply that the simpler the tool the better, I see it as the simpler to configure the better. And SELinux falls into the latter category IMO. This is an article I found helpful when setting up SELinux the first time round. Related to Apache. I would be interested in how you could accomplish something like this without SELinux? http://isrlabs.net/wordpress/?p=129 And this is the video that stopped me disabling SELinux… Skip to about 4:30 if you want to skip the introduction and get to the presentation proper. https://www.youtube.com/watch?v=MxjenQ31b70 Daniel. > Personally cannot think of a single use case for "if the file is under > this directory, I want permissions XYZ" which can't be delivered by the > current MAC/DAC/umask system... well, not one I'd want to see on a > production server - KISS is paramount! Use of secondary groups+setgid > +(rarely) umask+pam.d changes has done just about everything I need* > > Steve
_______________________________________________ Linux-users mailing list [email protected] http://lists.canterbury.ac.nz/mailman/listinfo/linux-users
