• 1

Nice writeup, but still too complex

In an ideal world, SELinux policies would be generated automatically by the system by parsing Apache config files.
Really, having to configure everything twice in separate places is too hard. Hard to remember, hard to maintain.
Heck, most sysadmins can not even properly set up Apache configuration for proper security...

Re: Nice writeup, but still too complex

I agree. Patches accepted. :^)

The problem here is that SELinux confines a lot more then just apache. Writing a tool that would figure out each packages configuration is just impossible. But since Apache is the most complicated it would be cool to write a config tool that could analyze apache config and then configure SELinux labeling and booleans to match the config. Watch for a much longer article about to be published in Drupal Magazine on SELinux and Apache Configuration.

  • 1

Log in