[Discuss] apache problem

[invalid at pizzashack.org (Derek Martin)]

On Tue, Jan 08, 2019 at 06:44:59PM -0500, James Cassell wrote:
> Please don't disable SELinux.

Why?  Can you make a compelling case?

FWIW I typed a response to David's message last night but got
distracted and didn't send it.  It's now largely irrelevant, but
here's an excerpt that's not:

-=-=-=-=-

Though, TBH my money would be on SELinux being the problem.  I've long
ago come to the conclusion that it's just too complicated a solution,
and unless you're configuring services for an environment that
requires a very high level of security, you're better off just
disabling it outright.  It's caused me multiple days of head
scratching over the years, and I think it's mostly just more trouble
than it's worth outside of very specialized situations.

[I'm also largely of the opinion that if your system is otherwise
secure, extended ACLs of any sort are unnecessary, and Unix
permissions suffice just about always, excepting cases when you have a
very large number of users with a very large number of disparate
access needs to resources. And usually, even then.]

-=-=-=-=-

Nothing I've seen or read about in my ~25 years of managing Linux
systems has yet convinced me otherwise.

-- 
Derek D. Martin    http://www.pizzashack.org/   GPG Key ID: 0xDFBEAD02
-=-=-=-=-
This message is posted from an invalid address.  Replying to it will result in
undeliverable mail due to spam prevention.  Sorry for the inconvenience.