Re: Correct xen domains path

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On 6/18/07, Stephen Harris <lists@xxxxxxxxxx> wrote:
On Mon, Jun 18, 2007 at 05:46:27PM +0200, Daniel de Kok wrote:
> On Mon, 2007-06-18 at 11:07 -0400, Stephen Harris wrote:
> > On Mon, Jun 18, 2007 at 11:05:24AM -0400, Rick Barnes wrote:
> > > My preference was to use /srv/xen and then symlink /srv/xen/etc to
> > > /etc/xen and /srv/xen/images to /var/lib/xen/images
> >
> > My preference is to disable SELinux totally and use /xen as a seperate
> > mount point :-)
>
> I keep repeating in a sheepish fashion: baaaaad :p.

I've not heard a good reason to keep SELinux enabled, to be honest.
For high sensitivity stuff, sure (much like using SEOS on Solaris for high
sensitivity machines - eg those where third parties might have access).
But as a general rule for all machines?  Why?

Being sheep like doesn't educate; a sheeplike post is... pointless.

Ok.. I have had good and bad experience with Selinux.

Good experience... I have had multiple webservers not have successful
exploits because someone forgot to update phpBB or some such. Another
good experience was dealing with a mail server compromise that didnt
happen (it looked like it had but selinux had stomped the bad program
when it tried to execute.)

Bad experience... spending 8 hours because of a broken shipped policy
that I needed to find a posting on to fix. Or trying to figure out why
xen on my test system wasnt working because selinux policy doesnt do
what it says it is supposed to do.

However, overall I have found that spending 8-12 hours to read/learn
Selinux was worth it. I believe that it and the SuSE tool are pretty
much going to be needed in the future as Linux become more popular and
hacking/breaking into it is more monetarily worthwhile to the mobs
etc.

Yes they add complexity.. but I am old enough to remember having to
deal with people who thought that the Unix DAC rwx system was too
complicated. Heck it was only 2 years ago I had to figure out what/why
a system was compromised.. the reason was that the person was an NT
person and had set everything on the system as 7777 that he could.. so
that he didnt have to remember root passwds and all his applications
just worked. [Effectively turning off Unix DAC as it were.]

What I normally do is build system first with a default policy in
place.. and if I cant figure out or have other issues.. I put selinux
in permissive mode to work from there.

--
Stephen J Smoogen. -- CSIRT/Linux System Administrator
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux