[CentOS] Correct xen domains path

Mon Jun 18 21:26:52 UTC 2007
Stephen John Smoogen <smooge at gmail.com>

On 6/18/07, Stephen Harris <lists at spuddy.org> wrote:
> On Mon, Jun 18, 2007 at 12:18:40PM -0600, Stephen John Smoogen wrote:
> > On 6/18/07, Stephen Harris <lists at spuddy.org> wrote:
> > >I've never said there are _no_ cases for SELinux.  I was questioning it
> > >as a general rule for all machines.
>
> > Several of the problems were machines that were not connected to the
> > internet or were deep behind firewalls. The problems were that all it
> > takes is one user who doesnt think well to make all those
> > firewalls/issues useless. E.G the person who coming in from work finds
> > a nice shiney USB fob and plugs it into a work computer to see who it
> > belonged to so they could return it.  The guy who downloads an
>
> [ etc ]
>
> This is why I mentioned "risk profile" in another message.  You evaluate
> the perceived risk, the likely-hood of the event happening, the cost of
> the event, the "cost" of a potential solution and perform an analysis.
>
> So one might rank the items this:
>   external facing servers: high risk!  Automated attacks possible
>   Desktop work stations: moderate.  User stupidity highest attack vector
>   General compute server: low risk.  Only "trained" staff have access.
>

Most of my cleanup/horror stories are on servers that supposedly
"trained" staff have access to. I was wondering what a general compute
server is... I have seen this term multiple times ot be used for too
many items (internal webservers, share servers, financial database,
etc) where due to the fact that the desktop could access it in some
way.. the stupid user had somehow basically infected it in one way or
another.



> (Umm, sorry for going on... I work in an area where these things are
> every day considerations so...)
>

No problem..

> > up to you as the site administrator to determine what is safe enough
>
> Actually, in large companies you have a whole risk organisational
> structure whose job it is to evaluate these things and determine policy.
> They straddle the line between technology (my side) and business (my
> customer) needs and try to balance the two.
>

Hmmmm I guess I havent worked in a big enough business or the ones I
have dealt with were more inclined to just keep up with paperwork
versus actually making risk analysis. [Is also probably also grumpy
today from having to do other peoples work for them.]


> > for Your Site using appropriate risk management. If you believe your
> > site has enough methods of protection or are that the cost of extra
> > security (selinux) is not appropriate for your risk model.. you can
> > turn it off.
>
> I'd argue the opposite; if you feel you the risk exposure is such that
> you need the protection then enable it.  I've listed cases where this
> is the case.
>
> That cases exist for SELinux does not mean it should be on by default,
> and is definitely not deserving of a sheeplike response whenever anyone
> proposes otherwise.
>

I am sorry, but while I believe that it was meant in jest... the core
of the problem is that turning it off is the default answer from too
many people who have no idea why an application isnt working.

Web-application not working, turn off selinux. File-share system not
working, turn off selinux. Desktop application you downloaded from
rpmfind.net not working, turn off selinux. It usually comes with the
recommended advice of use '--force --nodeps' to install/remove RPMS
and just keep setting files 777 until your application works. And
while your answers are clearly thought out... they are pretty much
drowned out in the Slashdot like posts on webforums, email-lists, and
IRC where people who have no clue will tell people to turn off Selinux
by default and then give the other advice above.

Sorry for the grumpy analogy.. and I probably need a vacation from
mailling lists/IRC for a while.. but it seems that this last month has
been dealing with people who turned off selinux because someone told
them too on IRC etc etc. And those people have no idea why just that
they do it because someone told them too.

-- 
Stephen J Smoogen. -- CSIRT/Linux System Administrator
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"