I moved my personal external server to Linode; running CentOS 6 there. I upgraded my test/home box to CentOS 6 and decided that I would enable SELinux and run in Enforcing mode. Too much coffee does that sort of thing to me; it's been very interesting. I've had to create two policies (one for Asterisk, and one for nfsen) to get around issues that couldn't be solved by ensuring objects were labeled correctly and the like; the former is a small-enough hole that I'm not particularly worried, and the latter is overly broad - but it seems to be really hard to constrain PHP applications. Especially if you don't know PHP...
Of course I turned on SELinux on my Linode, and wondered why there was nothing in the logs. Turns out the distros they provide, like others you mentioned, don't have support for SELinux. There were some discussions that you could build your own kernels on their hosts that would support SELinux, and that some people had done so; it was easier for me for that application to let it slide. I decided that if I get to the point where it's an issue, I'd probably look into separation of "domains" by VMs - that is, ensure that compromise of any VM wouldn't affect the security of other pieces of the application. That's just a different design perspective, and probably not all that helpful to you. Bottom line, though, is that Xen apparently doesn't rule out SELinux in a guest. Also, there are SELinux policies for RHEL/CentOS for VMs themselves. BTW, there are some discussions on the AWS forums where people have claimed to have enabled it. And the Amazon AMI (2011.09) has the SELinux packages included... HTH, _KMP K. M. Peterson, Boston http://kmpeterson.com/resume 40 Stanton Road Contact information, calendar, Brookline, MA 02445-6839 LinkedIn, Twitter, IM, Skype: Phone: +1 617 731 6177 http://kmpeterson.com/contact On 11 Nov 2011, at 11:24 , Edward Ned Harvey wrote: > I am asking, all you folks out there running lots of different virtualization > providers - Which providers, under which conditions, DON'T mess up selinux? _______________________________________________ bblisa mailing list [email protected] http://www.bblisa.org/mailman/listinfo/bblisa
