A
bunch of years ago when I was using the bind package for dns,
there was a change in Fedora/RHEL to de-emphasize use of chroot
and instead depend on SELinux to protect things. This change was
not so much advertised and just done.
I am wondering if something similar has happened for the
webserver. There is some (very limited) doc for apache (httpd)
and a lot of rules in selinux-policy-targetted for "httpd" and
these rules seem to apply to both httpd (apache) and lighttpd. If
I am reading the tea leaves correctly SELinux seems to be
providing a lot of protection.
So, do I need chroot??? Is just using SELinux a "good enough"
solution? I am not looking for a perfect solution but one which
"good engineering practice" says should be "good enough." I hope
it is but would sure like some "experts" to agree as well as maybe
pointing to some substantiating documentation.
Side comment: If SELinux is attempting to provide the same
functionality to both httpd and lighttpd, it would be nice if the
documentation at least mentioned lighttpd.
Gene
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux