On 7/3/10, David McGuffey <davidmcguffey@xxxxxxxxxxx> wrote:
> As I understand it each VM under kvm has a different SELinux context.
> Breaking into one VM doesn't give you the context to manipulate another.
> One would have to go back out through the network to attack the next
> VM...and if you have decent logging and IDS the noise should be
> seen/detected.
>
> I went with kvm specifically because it is integrated into SELinux.
In theory that sounds great and would had covered the security concern
part. But my own experience with SELinux had basically been well less
than positive.
When I first knew about it 2 years ago on my first install of CentOS,
it just made things really difficult and even when it worked,
setroubleshootd ends up sucking up memory and lags the system, making
it extremely difficult to even view the SE event log to try to figure
out what happened.
Maybe it's just my noobness then, so I'll give it another try with
leaving SELinux enforcing instead of permissive.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
