On 11/29/2010 05:09 PM, Christopher Chan wrote:
Hurrah! That's it! Just move the problem elsewhere. Oh, you snipped out a bit too much. Write access is not just the problem. Being able to upload and execute is also a problem. Can you say 'bot'?
What we've done at my place of employment for a few of these kinds of issues is take a similar approach. We have a VM on a completely isolated network in the DMZ. Folks that need to access Facebook related items VNC to this machine since we have Facebook and other known social media sites blocked because of malware problems.
If/when it gets hosed, we roll a snapshot back to good, or keep a copy of a good know instance, and no one inside the network is harmed since the machine has no internal access. In a case like this, yes, moving the problem elsewhere was a very practical and easy approach to a security issue. Obviously this example is a very specific one, but you shouldn't just automatically dismiss using a VM and moving the problem elsewhere for other practical purposes. It's a very good and practical solution to some security concerns.
This is a bit offtopic from SELinux, but there are folks using this approach successfully to address some of these issues.
Regards, Max