Dan Walsh's Blog

Got SELinux?

Previous Entry Share Next Entry
VMWare wants you to turn SELinux off? Really?
1.  The use of words to convey a meaning that is the opposite of its literal meaning: the irony of her reply, “How nice!” when I said I had to work all weekend.
2. an outcome of events contrary to what was, or might have been, expected.

One of the great features of KVM Virtualization is that each virtual machine is wrapped in an SELinux sandbox.   All the software used to run a virtual machine on a host is called a hypervisor.  When you run virtual machines, you have to worry about hypervisor vulnerabilities, which would allow your guest operating system to attack the host or other virtual machines you have running on the host.

We strive to make the Linux KVM Hypervisor as secure as possible, but bugs happen.  SELinux can control what the virtual machine process can and can not do on the host machine.   If you are running virtual machines on you Fedora or Red Hat box, you really should be running SELinux in enforcing mode.

It has come to my attention that VMWare support is suggesting people turn off SELinux...  I guess SELiux is too complicated for the VMWare crack support team to handle.

At Red Hat we consider security a priority, VMWare I am not so sure.

If you are having a problem running any VMWare product on a RHEL or Fedora Operating system, contact me dwalsh@redhat.com and I will help you run your virtual machines and leave the security in place...

Hacking the Cloud
April 2011 "How it Works" issue of Popular Science,   by Marie Pacella

What documentation would you like to see?


2012-03-03 01:22 pm (UTC)

Have you opened a bugzilla for documentation that you see missing? RFE?

I am an SELinux developer and I have not dug my heels in on any documentation that I know of.

RHEL has lots of documentation. I publish pretty regularly there is lots of documentation available on access.redhat.com. Fedora has a couple of docs written on SELinux.


I have recently created over 400 man pages on confined domains, and am working on man pages for each confined user type.

No HTML allowed in subject


(will be screened)

You are viewing danwalsh