danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Share Next Entry
VMWare wants you to turn SELinux off? Really?
danwalsh
i·ro·ny
1.  The use of words to convey a meaning that is the opposite of its literal meaning: the irony of her reply, “How nice!” when I said I had to work all weekend.
2. an outcome of events contrary to what was, or might have been, expected.

One of the great features of KVM Virtualization is that each virtual machine is wrapped in an SELinux sandbox.   All the software used to run a virtual machine on a host is called a hypervisor.  When you run virtual machines, you have to worry about hypervisor vulnerabilities, which would allow your guest operating system to attack the host or other virtual machines you have running on the host.

We strive to make the Linux KVM Hypervisor as secure as possible, but bugs happen.  SELinux can control what the virtual machine process can and can not do on the host machine.   If you are running virtual machines on you Fedora or Red Hat box, you really should be running SELinux in enforcing mode.

It has come to my attention that VMWare support is suggesting people turn off SELinux...  I guess SELiux is too complicated for the VMWare crack support team to handle.

At Red Hat we consider security a priority, VMWare I am not so sure.

If you are having a problem running any VMWare product on a RHEL or Fedora Operating system, contact me dwalsh@redhat.com and I will help you run your virtual machines and leave the security in place...

Hacking the Cloud
April 2011 "How it Works" issue of Popular Science,   by Marie Pacella


No HTML allowed in subject

  
 
   
 

(will be screened)

You are viewing danwalsh