[colug-432] SELinux == Sadness
Joshua Kramer
josh at globalherald.net
Sun Apr 25 17:04:36 EDT 2010
> If only it were possible to test everything under all conditions (if
> only P did equal NP). Really, though, it's actually more indicative
Actually, as RHEL 5 and 6 are configured in their 'Enforcing' mode, you
only need to test for interaction with the outside world. If your
application only ever opens one file and connects to one server, those
will be the two 'pain points' with SELinux. You would need to test cases
where the file is created, opened, read from, written to, and closed;
likewise with the network socket.
Here's an article I wrote a while back about how you can secure a website
with SELinux. It also demonstrates what happens when a violation occurs.
http://www.packtpub.com/article/selinux-secured-web-hosting-python-based-web-applications
I may revisit the article and consider mod_selinux:
http://www.redhat.com/archives/fedora-package-announce/2009-May/msg01395.html
mod_selinux is one of the reasons I've been awating the arrival of RHEL6.
Basically, with mod_selinux, you can have each separate website running
under its own security context... it's expensive in terms of performance,
because each request fires off a new Apache thread, but the security
simply can't be beat... by anything!
--
-----
http://www.globalherald.net/jb01
GlobalHerald.NET, the Smarter Social Network! (tm)
More information about the colug-432
mailing list