----- Original Message ----- From: "Max Hetrick" maxhetrick@verizon.net To: "CentOS mailing list" centos@centos.org Sent: Tuesday, November 30, 2010 6:51 AM Subject: Re: [CentOS] SELinux - way of the future or good idea but !!!
On 11/29/2010 05:09 PM, Christopher Chan wrote:
Hurrah! That's it! Just move the problem elsewhere. Oh, you snipped out a bit too much. Write access is not just the problem. Being able to upload and execute is also a problem. Can you say 'bot'?
What we've done at my place of employment for a few of these kinds of issues is take a similar approach. We have a VM on a completely isolated network in the DMZ. Folks that need to access Facebook related items VNC to this machine since we have Facebook and other known social media sites blocked because of malware problems.
If/when it gets hosed, we roll a snapshot back to good, or keep a copy of a good know instance, and no one inside the network is harmed since the machine has no internal access. In a case like this, yes, moving the problem elsewhere was a very practical and easy approach to a security issue. Obviously this example is a very specific one, but you shouldn't just automatically dismiss using a VM and moving the problem elsewhere for other practical purposes. It's a very good and practical solution to some security concerns.
Oh certainly. Guess why I run Windows servers in a VM? If it was a Linux box, I don't see why I should not also make use of SELinux even if the installation is running in a VM.
This is a bit offtopic from SELinux, but there are folks using this approach successfully to address some of these issues.
Don't worry, easy to bring back to the topic.