Rik Farrow teaches a really good class at LISA called "Re-enabling SELinux" - I reviewed it here: http://blogs.usenix.org/2009/11/02/re-enabling-selinux-training/
That might be useful for someone who's considering using SELinux in production and is headed to LISA next month. --Matt On Fri, Nov 11, 2011 at 11:23 AM, Edward Ned Harvey <lop...@nedharvey.com>wrote: > Everyone knows software is imperfect. Even when you're fully patched and > following good practices, somebody can hack your apache (or whatever) and > that's why we layer on additional security such as selinux (or whatever.) > I was recently called to examine a publicly facing production web server on > fully patched centos 5, and I found somebody had successfully attacked it > just by requesting a mangled URL, which launches arbitrary commands outside > of apache's normal behavior. This is the sort of thing selinux is supposed > to catch and prevent... But selinux is disabled.**** > > ** ** > > When you install rhel/centos/whatever using an iso (or whatever) it > prompts you to enable/disable selinux and so forth, but a lot of the > paravirtualization install processes don't run the "normal" system > installer, and neglect this vital security setup, and you end up with a > system lacking selinux.**** > > ** ** > > I am asking, all you folks out there running lots of different > virtualization providers - Which providers, under which conditions, DON'T > mess up selinux?**** > > ** ** > > Here are my current data points:**** > > ** ** > > You can check the status of selinux with the command: sestatus**** > > If it's disabled, I definitely don't recommend simply turning it on. Do > it on a test system, because it's sure to mess things up dramatically.**** > > ** ** > > On ESX, since it's fully virtualized and the guest OS is installed from > the ISO, the normal guest OS install process applies, and selinux works > perfectly.**** > > ** ** > > On Amazon, since it's paravirtualized, and most image building guides tell > you to "create a filesystem, copy in these files..." and stuff like that, > selinux is almost always neglected. Maybe always. I have not tried > enabling selinux after creating a machine on amazon - maybe it works maybe > not.**** > > ** ** > > On rackspace, the default images they make available for you don't have > selinux, and if you try to enable it, it fails. They have some special > process you can follow, **** > > with the assistance of a support rep, to create some other sort of image > which supports selinux. I have not tried it yet, so I can't testify to > whether it's good or not.**** > > ** ** > > I formerly used prgmr - And based on memory - I am almost totally certain > they do it right. I know Luke often lurks here, and other prgmr > customers. Can somebody confirm?**** > > ** ** > > What other virtualization hosts are people using?**** > > _______________________________________________ > Tech mailing list > Tech@lists.lopsa.org > https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech > This list provided by the League of Professional System Administrators > http://lopsa.org/ > > -- LITTLE GIRL: But which cookie will you eat FIRST? COOKIE MONSTER: Me think you have misconception of cookie-eating process.
_______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
