----- Original Message ----- From: "Max Hetrick" <maxhetrick at verizon.net> To: "CentOS mailing list" <centos at centos.org> Sent: Tuesday, November 30, 2010 6:51 AM Subject: Re: [CentOS] SELinux - way of the future or good idea but !!! > On 11/29/2010 05:09 PM, Christopher Chan wrote: > >> Hurrah! That's it! Just move the problem elsewhere. Oh, you snipped out >> a bit too much. Write access is not just the problem. Being able to >> upload and execute is also a problem. Can you say 'bot'? > > > What we've done at my place of employment for a few of these kinds of > issues is take a similar approach. We have a VM on a completely isolated > network in the DMZ. Folks that need to access Facebook related items VNC > to this machine since we have Facebook and other known social media > sites blocked because of malware problems. > > If/when it gets hosed, we roll a snapshot back to good, or keep a copy > of a good know instance, and no one inside the network is harmed since > the machine has no internal access. In a case like this, yes, moving the > problem elsewhere was a very practical and easy approach to a security > issue. Obviously this example is a very specific one, but you shouldn't > just automatically dismiss using a VM and moving the problem elsewhere > for other practical purposes. It's a very good and practical solution to > some security concerns. Oh certainly. Guess why I run Windows servers in a VM? If it was a Linux box, I don't see why I should not also make use of SELinux even if the installation is running in a VM. > > This is a bit offtopic from SELinux, but there are folks using this > approach successfully to address some of these issues. > Don't worry, easy to bring back to the topic.