Re: Correct xen domains path

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Mon, Jun 18, 2007 at 06:45:26PM +0200, Daniel de Kok wrote:
> On Mon, 2007-06-18 at 12:03 -0400, Stephen Harris wrote:
> > I've not heard a good reason to keep SELinux enabled, to be honest.
> > For high sensitivity stuff, sure (much like using SEOS on Solaris for high
> > sensitivity machines - eg those where third parties might have access).
> > But as a general rule for all machines?  Why?
> 
> One of the major goals of SELinux is to restrict the impact of 0-day
> vulnerabilities. If there is an ugly exploit for some network-facing
> daemon, it is a good idea to restrict the potential damage as possible.

"External facing" machines (ie those that can be reached off the
internal network) _are_ one of those classes of machines flagged as "high
sensitivity".  These are candidates for SELinux, SEOS or equivalents.
They may be either directly on the internet or in a DMZ area behind
firewalls that allow certain incoming traffic (or in large corporations,
accessed via VPNs or leased lines from customer sites; a different type
of DMZ).

The security rule of thumb here is that such machine _will_ be attacked,
and so "security in depth" is the process to apply.

But these are special cases with special "elevated security" rules.

Now... why should such rules apply to machines not thus exposed?

-- 

rgds
Stephen
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux