[CentOS] Correct xen domains path

Stephen John Smoogen smooge at gmail.com
Mon Jun 18 16:31:30 UTC 2007


On 6/18/07, Stephen Harris <lists at spuddy.org> wrote:
> On Mon, Jun 18, 2007 at 05:46:27PM +0200, Daniel de Kok wrote:
> > On Mon, 2007-06-18 at 11:07 -0400, Stephen Harris wrote:
> > > On Mon, Jun 18, 2007 at 11:05:24AM -0400, Rick Barnes wrote:
> > > > My preference was to use /srv/xen and then symlink /srv/xen/etc to
> > > > /etc/xen and /srv/xen/images to /var/lib/xen/images
> > >
> > > My preference is to disable SELinux totally and use /xen as a seperate
> > > mount point :-)
> >
> > I keep repeating in a sheepish fashion: baaaaad :p.
>
> I've not heard a good reason to keep SELinux enabled, to be honest.
> For high sensitivity stuff, sure (much like using SEOS on Solaris for high
> sensitivity machines - eg those where third parties might have access).
> But as a general rule for all machines?  Why?
>
> Being sheep like doesn't educate; a sheeplike post is... pointless.

Ok.. I have had good and bad experience with Selinux.

Good experience... I have had multiple webservers not have successful
exploits because someone forgot to update phpBB or some such. Another
good experience was dealing with a mail server compromise that didnt
happen (it looked like it had but selinux had stomped the bad program
when it tried to execute.)

Bad experience... spending 8 hours because of a broken shipped policy
that I needed to find a posting on to fix. Or trying to figure out why
xen on my test system wasnt working because selinux policy doesnt do
what it says it is supposed to do.

However, overall I have found that spending 8-12 hours to read/learn
Selinux was worth it. I believe that it and the SuSE tool are pretty
much going to be needed in the future as Linux become more popular and
hacking/breaking into it is more monetarily worthwhile to the mobs
etc.

Yes they add complexity.. but I am old enough to remember having to
deal with people who thought that the Unix DAC rwx system was too
complicated. Heck it was only 2 years ago I had to figure out what/why
a system was compromised.. the reason was that the person was an NT
person and had set everything on the system as 7777 that he could.. so
that he didnt have to remember root passwds and all his applications
just worked. [Effectively turning off Unix DAC as it were.]

What I normally do is build system first with a default policy in
place.. and if I cant figure out or have other issues.. I put selinux
in permissive mode to work from there.

-- 
Stephen J Smoogen. -- CSIRT/Linux System Administrator
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"



More information about the CentOS mailing list