danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Share Next Entry
VMWare wants you to turn SELinux off? Really?
danwalsh
i·ro·ny
1.  The use of words to convey a meaning that is the opposite of its literal meaning: the irony of her reply, “How nice!” when I said I had to work all weekend.
2. an outcome of events contrary to what was, or might have been, expected.

One of the great features of KVM Virtualization is that each virtual machine is wrapped in an SELinux sandbox.   All the software used to run a virtual machine on a host is called a hypervisor.  When you run virtual machines, you have to worry about hypervisor vulnerabilities, which would allow your guest operating system to attack the host or other virtual machines you have running on the host.

We strive to make the Linux KVM Hypervisor as secure as possible, but bugs happen.  SELinux can control what the virtual machine process can and can not do on the host machine.   If you are running virtual machines on you Fedora or Red Hat box, you really should be running SELinux in enforcing mode.

It has come to my attention that VMWare support is suggesting people turn off SELinux...  I guess SELiux is too complicated for the VMWare crack support team to handle.

At Red Hat we consider security a priority, VMWare I am not so sure.

If you are having a problem running any VMWare product on a RHEL or Fedora Operating system, contact me dwalsh@redhat.com and I will help you run your virtual machines and leave the security in place...

Hacking the Cloud
April 2011 "How it Works" issue of Popular Science,   by Marie Pacella


Re: What documentation would you like to see?

pfrields.id.fedoraproject.org

2012-03-03 06:57 pm (UTC)

And don't forget the Red Hat Enterprise Linux documentation:
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/index.html (http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/index.html)

Edited at 2012-03-03 06:58 pm (UTC)

You are viewing danwalsh