Re: [fw-wiz] Web server security?

From: Steffen Kluge (kluge_at_fujitsu.com.au)
Date: 06/22/04

Next message: strider_at_mailworks.org: "Re: [fw-wiz] Exchange & Blackberry"

Previous message: Norman Zhang: "[fw-wiz] Re: Setting Ports"
In reply to: Paul D. Robertson: "[fw-wiz] Web server security?"
Next in thread: Paul D. Robertson: "Re: [fw-wiz] Web server security?"
Reply: Paul D. Robertson: "Re: [fw-wiz] Web server security?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: firewall-wizards@honor.icsalabs.com
Date: Tue, 22 Jun 2004 11:01:52 +1000

On Tue, 2004-06-22 at 08:33, Paul D. Robertson wrote:
> Has anyone on the list played with RSBAC (preferably) or SELinux and
> Apache Web servers, and has any configurations they can share? I think
> I'm more interested in MAC compartments than RBAC, but if someone else has
> done the major groundwork, I'd like to have a head start.

Quite a bit of the SELinux groundwork done so far has made it into
Fedora Core 2, apparently. I eagerly went to check it out when it was
released.

Upon further delving into the matter, I found that the SELinux community
reckons they're adding value mainly in situations where you run various
different services on a single machine. They seem to think SELinux is
probably not worthwhile for "single-trick ponies", since its main
purpose is to isolate unrelated subsystems from each other (such as
keeping a hacked web server from messing with IMAP accounts).

I tend to set up my Internet exposed servers to run exactly one service
(plus SSH, not exposed to the outside world), and strip them down
accordingly. I concluded that SELinux isn't going to be worth the
trouble in these cases.

If you are concerned about web-only servers you might end up reaching
the same conclusion.

Cheers
Steffen.

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

application/pgp-signature attachment: This is a digitally signed message part

Next message: strider_at_mailworks.org: "Re: [fw-wiz] Exchange & Blackberry"

Previous message: Norman Zhang: "[fw-wiz] Re: Setting Ports"
In reply to: Paul D. Robertson: "[fw-wiz] Web server security?"
Next in thread: Paul D. Robertson: "Re: [fw-wiz] Web server security?"
Reply: Paul D. Robertson: "Re: [fw-wiz] Web server security?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: syscall: sys_promote
... you can use selinux to create a policy ... In this way, it's that the web servers themselves drop the privileges, ... while selinux or sudo is for the next launching process. ... AFAIK setrlimitcan't be used to change resource limits ...
(Linux-Kernel)
Re: Why do I need SELinux?
... I was discussing about the NEED of SELinux for everyone ... > I think I am probably a typical home user, ... > who I assume are not running web servers accessible by the world. ... There's so many different ways you can have your security break - to ...
(Fedora)