Hans-Thomas Mueller napisał(a):
> Another option instead of Xen or SELinux is to set up vservers_, with
> Grsec+Pax.  The performance impact is minimal but you still get clean
> and isolated environments for your services.
> 
> SELinux gives some additional security indeed but is quite expensive to
> administer -- unless you run only pre-configured packages on your
> server.  Once you start running your own software you spend much time
> writing policies.  I have run some SELinux servers a while ago and I
> won't do it again unless absolutely necessary.  I see the use of SELinux
> mainly in fine-grained control of interactions of human users with shell
> accounts in a high security environment.  Servers should be as simple as
> possible, I think.
> 
> Regards,
> Hans-Thomas

I have my server for about a year and I didn't have serious problems,
but it has only few services running: firewall, web cache, dhcp, ntp,
nfs, dns.

There is also so called "targeted policy". It protects daemons, but runs
other processes in a role that has access to everything.

Thus, when you want to run only commonly used daemons (that have
policies), or when you choose targeted policy, SELinux isn't very hard
to use.

Regards,
Marek Wróbel
-- 
[email protected] mailing list

Reply via email to