[CentOS] SELinux - way of the future or good idea but !!!

Tue Nov 30 02:13:27 UTC 2010
Christopher Chan <christopher.chan at bradbury.edu.hk>

----- Original Message ----- 
From: "Max Hetrick" <maxhetrick at verizon.net>
To: "CentOS mailing list" <centos at centos.org>
Sent: Tuesday, November 30, 2010 6:51 AM
Subject: Re: [CentOS] SELinux - way of the future or good idea but !!!


> On 11/29/2010 05:09 PM, Christopher Chan wrote:
>
>> Hurrah! That's it! Just move the problem elsewhere. Oh, you snipped out
>> a bit too much. Write access is not just the problem. Being able to
>> upload and execute is also a problem. Can you say 'bot'?
>
>
> What we've done at my place of employment for a few of these kinds of
> issues is take a similar approach. We have a VM on a completely isolated
> network in the DMZ. Folks that need to access Facebook related items VNC
> to this machine since we have Facebook and other known social media
> sites blocked because of malware problems.
>
> If/when it gets hosed, we roll a snapshot back to good, or keep a copy
> of a good know instance, and no one inside the network is harmed since
> the machine has no internal access. In a case like this, yes, moving the
> problem elsewhere was a very practical and easy approach to a security
> issue. Obviously this example is a very specific one, but you shouldn't
> just automatically dismiss using a VM and moving the problem elsewhere
> for other practical purposes. It's a very good and practical solution to
> some security concerns.

Oh certainly. Guess why I run Windows servers in a VM? If it was a Linux 
box, I don't see why I should not also make use of SELinux even if the 
installation is running in a VM.


>
> This is a bit offtopic from SELinux, but there are folks using this
> approach successfully to address some of these issues.
>

Don't worry, easy to bring back to the topic.