[CentOS] SELinux - way of the future or good idea but !!!
maxhetrick at verizon.net
Mon Nov 29 17:51:56 EST 2010
On 11/29/2010 05:09 PM, Christopher Chan wrote:
> Hurrah! That's it! Just move the problem elsewhere. Oh, you snipped out
> a bit too much. Write access is not just the problem. Being able to
> upload and execute is also a problem. Can you say 'bot'?
What we've done at my place of employment for a few of these kinds of
issues is take a similar approach. We have a VM on a completely isolated
network in the DMZ. Folks that need to access Facebook related items VNC
to this machine since we have Facebook and other known social media
sites blocked because of malware problems.
If/when it gets hosed, we roll a snapshot back to good, or keep a copy
of a good know instance, and no one inside the network is harmed since
the machine has no internal access. In a case like this, yes, moving the
problem elsewhere was a very practical and easy approach to a security
issue. Obviously this example is a very specific one, but you shouldn't
just automatically dismiss using a VM and moving the problem elsewhere
for other practical purposes. It's a very good and practical solution to
some security concerns.
This is a bit offtopic from SELinux, but there are folks using this
approach successfully to address some of these issues.
More information about the CentOS