Somebody in the thread at some point said: > Arthur Pemberton wrote: >>>> >>> The shortcut test is to su to the user in question and try to access the >>> file/device. The only slightly more complicated way is to walk down the >>> path looking at the permissions for user/group/other on the file and the >>> directories above. >> >> Well, these "traditional" methods didn't work for your friend Karl, >> since he was hacked with them. > > Perhaps he had a false sense of security from the supposed other layers > claimed to be present, when paying attention to the obvious would have > been more beneficial. That's the main reason I question the value of > SELinux in the first place. It doesn't come into play unless you have > already made a mistake with the simple things and it diverts attention > and makes it appear to be unimportant to get those things right. It's generally accepted that layers of security are a good thing. Turning what you say around, relying on getting one brittle layer completely right and having nothing behind it doesn't sound like a better system. Considering where the real hacks actually come from, you might get PHP "safe mode" completely "right" but somebody knows a sneaky way out anyway. If selinux is there to spew a log alert when he tries to spawn a shell that is very valuable indeed. -Andy
