<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>Everyone knows software is imperfect. Even when you're fully patched and following good practices, somebody can hack your apache (or whatever) and that's why we layer on additional security such as selinux (or whatever.) I was recently called to examine a publicly facing production web server on fully patched centos 5, and I found somebody had successfully attacked it just by requesting a mangled URL, which launches arbitrary commands outside of apache's normal behavior. This is the sort of thing selinux is supposed to catch and prevent... But selinux is disabled.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>When you install rhel/centos/whatever using an iso (or whatever) it prompts you to enable/disable selinux and so forth, but a lot of the paravirtualization install processes don't run the "normal" system installer, and neglect this vital security setup, and you end up with a system lacking selinux.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I am asking, all you folks out there running lots of different virtualization providers - Which providers, under which conditions, DON'T mess up selinux?<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Here are my current data points:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>You can check the status of selinux with the command: sestatus<o:p></o:p></p><p class=MsoNormal>If it's disabled, I definitely don't recommend simply turning it on. Do it on a test system, because it's sure to mess things up dramatically.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>On ESX, since it's fully virtualized and the guest OS is installed from the ISO, the normal guest OS install process applies, and selinux works perfectly.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>On Amazon, since it's paravirtualized, and most image building guides tell you to "create a filesystem, copy in these files..." and stuff like that, selinux is almost always neglected. Maybe always. I have not tried enabling selinux after creating a machine on amazon - maybe it works maybe not.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>On rackspace, the default images they make available for you don't have selinux, and if you try to enable it, it fails. They have some special process you can follow, <o:p></o:p></p><p class=MsoNormal>with the assistance of a support rep, to create some other sort of image which supports selinux. I have not tried it yet, so I can't testify to whether it's good or not.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I formerly used prgmr - And based on memory - I am almost totally certain they do it right. Can anybody confirm?<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>What other virtualization hosts are people using?<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>