[CentOS] Correct xen domains path

Stephen Harris lists at spuddy.org
Mon Jun 18 16:56:53 UTC 2007

On Mon, Jun 18, 2007 at 06:45:26PM +0200, Daniel de Kok wrote:
> On Mon, 2007-06-18 at 12:03 -0400, Stephen Harris wrote:
> > I've not heard a good reason to keep SELinux enabled, to be honest.
> > For high sensitivity stuff, sure (much like using SEOS on Solaris for high
> > sensitivity machines - eg those where third parties might have access).
> > But as a general rule for all machines?  Why?
> One of the major goals of SELinux is to restrict the impact of 0-day
> vulnerabilities. If there is an ugly exploit for some network-facing
> daemon, it is a good idea to restrict the potential damage as possible.

"External facing" machines (ie those that can be reached off the
internal network) _are_ one of those classes of machines flagged as "high
sensitivity".  These are candidates for SELinux, SEOS or equivalents.
They may be either directly on the internet or in a DMZ area behind
firewalls that allow certain incoming traffic (or in large corporations,
accessed via VPNs or leased lines from customer sites; a different type
of DMZ).

The security rule of thumb here is that such machine _will_ be attacked,
and so "security in depth" is the process to apply.

But these are special cases with special "elevated security" rules.

Now... why should such rules apply to machines not thus exposed?



More information about the CentOS mailing list