Why do I need SELinux?

[James McKenzie]

David Cary Hart wrote:
> On Sat, 2005-02-19 at 13:29 -0700, Craig White wrote:
> 
>>---
>>I don't think the daemons that serve pop3 or imap are likely to be
>>running as root but I guess that would probably depend upon which one
>>you are using.
>>
> 
> No. Pop and imap run as dovecott. Our FTP is anonymous download only so
> there's nothing to hack. Apache seems adequately protected with per-
> directory permissions.
David:

Apache servers have been 'cracked' and taken over for purposes other 
than intended.  Never run httpd as root unless you really, really need to.
As far as using SELinux and given your situation, I would HIGHLY 
recommend it.  It is another layer of host based security.  You can have 
a firewall, and it can be breached, leaving your system vulnerable.  It 
is sorta like adding another lock to your front door.  Sure they can be 
picked open by a professional, but they will move on if they realize it 
is too much trouble to gain access and will definitely scare away the 
amateur (read: script kiddie.)  As long as security will not prevent you 
from doing your job, more is better.  If adding SELinux adds too much of 
a load on your server, then you might want to reduce the items protected 
by it to only those you feel could be breached.  Add this to security 
best practices, and you should have a machine that only the determined 
professional can breach and those should be far between and few.
-- 
James McKenzie
With assistance, Now running 2.6.11rc3, Software Suspend 2
and ibm-acpi .1
Need a home for my .rpm