Les Mikesell
2005-May-24 12:56 UTC
[CentOS] PostgreSQL/SELinux Error - relation "pg_catalog.pg_u ser" does not exist
On Tue, 2005-05-24 at 08:08, Micha Silver wrote:> > > > The best thing to do is add this to /etc/selinux/config > > > > SELINUX=disabled > > > > And then get on with the real jobs.... > > > > Listening to all the pros and cons of SELinux. > I'd like to improve the security of our regional web server using SELinux. > We have a main regional web site and several virtual domains, kept up by > private users, all on the same server. Some of the private users want to run > php and database apps on their websites. Up till now I steered away from > allowing users to run anything on their sites, since a breakin to any > private virtual domain would endanger the whole http process, including the > main regional site. I'm preparing to switch over to a new (CentOS 4) > machine, and I thought to set up a different SELinux context for each > virtual domain, so that a vulnerability in someones private web site would > be isolated and not be able to crash the other domains. > Is this achievable *without* SELinux??The simple-minded way has always been to run a separate http instance bound to a different port or IP address, running as a different user. If you only have one IP address and need to appear to be on port 80, you can arrange this with a virtualhost on the main server that uses proxypass or a rewriterule that results in a proxy connection to the server running under the other uid. --- Les Mikesell lesmikesell at gmail.com
Micha Silver
2005-May-24 13:08 UTC
[CentOS] PostgreSQL/SELinux Error - relation "pg_catalog.pg_u ser" does not exist
> > The best thing to do is add this to /etc/selinux/config > > SELINUX=disabled > > And then get on with the real jobs.... >Listening to all the pros and cons of SELinux. I'd like to improve the security of our regional web server using SELinux. We have a main regional web site and several virtual domains, kept up by private users, all on the same server. Some of the private users want to run php and database apps on their websites. Up till now I steered away from allowing users to run anything on their sites, since a breakin to any private virtual domain would endanger the whole http process, including the main regional site. I'm preparing to switch over to a new (CentOS 4) machine, and I thought to set up a different SELinux context for each virtual domain, so that a vulnerability in someones private web site would be isolated and not be able to crash the other domains. Is this achievable *without* SELinux?? Thanks, Micha
Micha Silver
2005-May-24 15:23 UTC
[CentOS] PostgreSQL/SELinux Error - relation "pg_catalog.pg_u ser" does not exist
> > > On Tue, 2005-05-24 at 08:08, Micha Silver wrote: > > > > > > The best thing to do is add this to /etc/selinux/config > > > > > > SELINUX=disabled > > > > > > And then get on with the real jobs.... > > > > > > > Listening to all the pros and cons of SELinux. > > I'd like to improve the security of our regional web server > using SELinux. > > We have a main regional web site and several virtual > domains, kept up by > > private users, all on the same server. Some of the private > users want to run > > php and database apps on their websites. Up till now I > steered away from > > allowing users to run anything on their sites, since a > breakin to any > > private virtual domain would endanger the whole http > process, including the > > main regional site. I'm preparing to switch over to a new (CentOS 4) > > machine, and I thought to set up a different SELinux > context for each > > virtual domain, so that a vulnerability in someones private > web site would > > be isolated and not be able to crash the other domains. > > Is this achievable *without* SELinux?? > > The simple-minded way has always been to run a separate http > instance bound to a different port or IP address, running as > a different user. If you only have one IP address and need > to appear to be on port 80, you can arrange this with a > virtualhost on the main server that uses proxypass or a > rewriterule that results in a proxy connection to the server > running under the other uid. >Thanks Les, With several virtual domains, setting each up on a separate port with rewrite rules, and running several httpd processes under different UIDs would quickly become not so "simple-minded" Regards, Micha> --- > Les Mikesell > lesmikesell at gmail.com > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos >