On 6/18/07, Stephen Harris <lists@xxxxxxxxxx> wrote:
On Mon, Jun 18, 2007 at 05:46:27PM +0200, Daniel de Kok wrote: > On Mon, 2007-06-18 at 11:07 -0400, Stephen Harris wrote: > > On Mon, Jun 18, 2007 at 11:05:24AM -0400, Rick Barnes wrote: > > > My preference was to use /srv/xen and then symlink /srv/xen/etc to > > > /etc/xen and /srv/xen/images to /var/lib/xen/images > > > > My preference is to disable SELinux totally and use /xen as a seperate > > mount point :-) > > I keep repeating in a sheepish fashion: baaaaad :p. I've not heard a good reason to keep SELinux enabled, to be honest. For high sensitivity stuff, sure (much like using SEOS on Solaris for high sensitivity machines - eg those where third parties might have access). But as a general rule for all machines? Why? Being sheep like doesn't educate; a sheeplike post is... pointless.
Ok.. I have had good and bad experience with Selinux. Good experience... I have had multiple webservers not have successful exploits because someone forgot to update phpBB or some such. Another good experience was dealing with a mail server compromise that didnt happen (it looked like it had but selinux had stomped the bad program when it tried to execute.) Bad experience... spending 8 hours because of a broken shipped policy that I needed to find a posting on to fix. Or trying to figure out why xen on my test system wasnt working because selinux policy doesnt do what it says it is supposed to do. However, overall I have found that spending 8-12 hours to read/learn Selinux was worth it. I believe that it and the SuSE tool are pretty much going to be needed in the future as Linux become more popular and hacking/breaking into it is more monetarily worthwhile to the mobs etc. Yes they add complexity.. but I am old enough to remember having to deal with people who thought that the Unix DAC rwx system was too complicated. Heck it was only 2 years ago I had to figure out what/why a system was compromised.. the reason was that the person was an NT person and had set everything on the system as 7777 that he could.. so that he didnt have to remember root passwds and all his applications just worked. [Effectively turning off Unix DAC as it were.] What I normally do is build system first with a default policy in place.. and if I cant figure out or have other issues.. I put selinux in permissive mode to work from there. -- Stephen J Smoogen. -- CSIRT/Linux System Administrator How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. "The Merchant of Venice" _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos
