Re: SELinux - way of the future or good idea but !!!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



----- Original Message ----- 
From: "Max Hetrick" <maxhetrick@xxxxxxxxxxx>
To: "CentOS mailing list" <centos@xxxxxxxxxx>
Sent: Tuesday, November 30, 2010 6:51 AM
Subject: Re:  SELinux - way of the future or good idea but !!!


> On 11/29/2010 05:09 PM, Christopher Chan wrote:
>
>> Hurrah! That's it! Just move the problem elsewhere. Oh, you snipped out
>> a bit too much. Write access is not just the problem. Being able to
>> upload and execute is also a problem. Can you say 'bot'?
>
>
> What we've done at my place of employment for a few of these kinds of
> issues is take a similar approach. We have a VM on a completely isolated
> network in the DMZ. Folks that need to access Facebook related items VNC
> to this machine since we have Facebook and other known social media
> sites blocked because of malware problems.
>
> If/when it gets hosed, we roll a snapshot back to good, or keep a copy
> of a good know instance, and no one inside the network is harmed since
> the machine has no internal access. In a case like this, yes, moving the
> problem elsewhere was a very practical and easy approach to a security
> issue. Obviously this example is a very specific one, but you shouldn't
> just automatically dismiss using a VM and moving the problem elsewhere
> for other practical purposes. It's a very good and practical solution to
> some security concerns.

Oh certainly. Guess why I run Windows servers in a VM? If it was a Linux 
box, I don't see why I should not also make use of SELinux even if the 
installation is running in a VM.


>
> This is a bit offtopic from SELinux, but there are folks using this
> approach successfully to address some of these issues.
>

Don't worry, easy to bring back to the topic. 


_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos


[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux