Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
Everyone knows software is imperfect. Even when you're fully patched and following good practices, somebody can hack your apache (or whatever) and that's why we layer on additional security such as selinux (or whatever.) I was recently called to examine a publicly facing production web server on fully patched centos 5, and I found somebody had successfully attacked it just by requesting a mangled URL, which launches arbitrary commands outside of apache's normal behavior. This is the sort of thing selinux is supposed to catch and prevent... But selinux is disabled. When you install rhel/centos/whatever using an iso (or whatever) it prompts you to enable/disable selinux and so forth, but a lot of the paravirtualization install processes don't run the "normal" system installer, and neglect this vital security setup, and you end up with a system lacking selinux. I am asking, all you folks out there running lots of different virtualization providers - Which providers, under which conditions, DON'T mess up selinux? Here are my current data points: You can check the status of selinux with the command: sestatus If it's disabled, I definitely don't recommend simply turning it on. Do it on a test system, because it's sure to mess things up dramatically. On ESX, since it's fully virtualized and the guest OS is installed from the ISO, the normal guest OS install process applies, and selinux works perfectly. On Amazon, since it's paravirtualized, and most image building guides tell you to "create a filesystem, copy in these files..." and stuff like that, selinux is almost always neglected. Maybe always. I have not tried enabling selinux after creating a machine on amazon - maybe it works maybe not. On rackspace, the default images they make available for you don't have selinux, and if you try to enable it, it fails. They have some special process you can follow, with the assistance of a support rep, to create some other sort of image which supports selinux. I have not tried it yet, so I can't testify to whether it's good or not. I formerly used prgmr - And based on memory - I am almost totally certain they do it right. Can anybody confirm? What other virtualization hosts are people using?
BLU is a member of BostonUserGroups | |
We also thank MIT for the use of their facilities. |