[CentOS] SELinux - way of the future or good idea but !!!

Mon Nov 29 22:51:56 UTC 2010
Max Hetrick <maxhetrick at verizon.net>

On 11/29/2010 05:09 PM, Christopher Chan wrote:

> Hurrah! That's it! Just move the problem elsewhere. Oh, you snipped out
> a bit too much. Write access is not just the problem. Being able to
> upload and execute is also a problem. Can you say 'bot'?

What we've done at my place of employment for a few of these kinds of 
issues is take a similar approach. We have a VM on a completely isolated 
network in the DMZ. Folks that need to access Facebook related items VNC 
to this machine since we have Facebook and other known social media 
sites blocked because of malware problems.

If/when it gets hosed, we roll a snapshot back to good, or keep a copy 
of a good know instance, and no one inside the network is harmed since 
the machine has no internal access. In a case like this, yes, moving the 
problem elsewhere was a very practical and easy approach to a security 
issue. Obviously this example is a very specific one, but you shouldn't 
just automatically dismiss using a VM and moving the problem elsewhere 
for other practical purposes. It's a very good and practical solution to 
some security concerns.

This is a bit offtopic from SELinux, but there are folks using this 
approach successfully to address some of these issues.