Re: Correct xen domains path

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On 6/18/07, Stephen Harris <lists@xxxxxxxxxx> wrote:
On Mon, Jun 18, 2007 at 10:31:30AM -0600, Stephen John Smoogen wrote:
> On 6/18/07, Stephen Harris <lists@xxxxxxxxxx> wrote:
> >I've not heard a good reason to keep SELinux enabled, to be honest.
> >For high sensitivity stuff, sure (much like using SEOS on Solaris for high
> >sensitivity machines - eg those where third parties might have access).
> >But as a general rule for all machines?  Why?

> Good experience... I have had multiple webservers not have successful

Yup.  Webservers are machines where third parties might have access, and
so are candidates for enhanced security processes such as SELinux or
SEOS.

I've never said there are _no_ cases for SELinux.  I was questioning it
as a general rule for all machines.


Several of the problems were machines that were not connected to the
internet or were deep behind firewalls. The problems were that all it
takes is one user who doesnt think well to make all those
firewalls/issues useless. E.G the person who coming in from work finds
a nice shiney USB fob and plugs it into a work computer to see who it
belonged to so they could return it.  The guy who downloads an
attachment supposedly from the partner in France and wonders why the
system runs so slowly. The fellow who has an addiction to porn and
decides that he just has to meet that 'blonde' who just wrote him
about sharing pictures. Etc etc.

While a lot of these things sound Windows specific.. there is a
boutique industry in doing it for Linux especially when you know that
the company you are wanting to infiltrate is using Linux for 'security
means'.

Or to be direct.. there is no such thing as a secure computer.. it is
up to you as the site administrator to determine what is safe enough
for Your Site using appropriate risk management. If you believe your
site has enough methods of protection or are that the cost of extra
security (selinux) is not appropriate for your risk model.. you can
turn it off.

--
Stephen J Smoogen. -- CSIRT/Linux System Administrator
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux