[BBLISA] virtual servers and security problems

K. M. Peterson KMP at KMPeterson.COM
Fri Nov 11 13:32:58 EST 2011 

I moved my personal external server to Linode; running CentOS 6 there.

I upgraded my test/home box to CentOS 6 and decided that I would enable SELinux and run in Enforcing mode.  Too much coffee does that sort of thing to me; it's been very interesting.  I've had to create two policies (one for Asterisk, and one for nfsen) to get around issues that couldn't be solved by ensuring objects were labeled correctly and the like; the former is a small-enough hole that I'm not particularly worried, and the latter is overly broad - but it seems to be really hard to constrain PHP applications.  Especially if you don't know PHP...

Of course I turned on SELinux on my Linode, and wondered why there was nothing in the logs.  Turns out the distros they provide, like others you mentioned, don't have support for SELinux.  There were some discussions that you could build your own kernels on their hosts that would support SELinux, and that some people had done so; it was easier for me for that application to let it slide.

I decided that if I get to the point where it's an issue, I'd probably look into separation of "domains" by VMs - that is, ensure that compromise of any VM wouldn't affect the security of other pieces of the application.  That's just a different design perspective, and probably not all that helpful to you.  Bottom line, though, is that Xen apparently doesn't rule out SELinux in a guest.

Also, there are SELinux policies for RHEL/CentOS for VMs themselves.  

BTW, there are some discussions on the AWS forums where people have claimed to have enabled it.    And the Amazon AMI (2011.09) has the SELinux packages included...

HTH,
_KMP

K. M. Peterson, Boston                                      http://kmpeterson.com/resume
40 Stanton Road                                             Contact information, calendar,
Brookline, MA  02445-6839                                   LinkedIn, Twitter, IM, Skype:   
Phone: +1 617 731 6177                                      http://kmpeterson.com/contact


On 11 Nov 2011, at 11:24 , Edward Ned Harvey wrote:

> I am asking, all you folks out there running lots of different virtualization providers - Which providers, under which conditions, DON'T mess up selinux?

More information about the bblisa mailing list