[ale] virtualize a FC6 box to a vmware image

Jeff Lightner jlightner at water.com
Thu May 3 09:23:31 EDT 2007


Well I grant I do a lot more security on external facing systems.  Of
course with "defense in depth" being the new buzz we may all end up
having to do SELinux even on internal systems.  

It comes from the NSA so I fear the true meaning of SE is Spyware
Embedded :p

-----Original Message-----
From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On Behalf Of
To: ale at ale.org
James P. Kinney III
Sent: Thursday, May 03, 2007 9:18 AM
To: Atlanta Linux Enthusiasts
Subject: Re: [ale] virtualize a FC6 box to a vmware image

On Thu, 2007-05-03 at 08:58 -0400, Jeff Lightner wrote:
> Yet another good reason to turn off SELinux IMO. 

well...

For an internal workstation, sure.  But for an external-facing web
server, no. SELinux does a layer of security that is priceless. It
monitors and prevents app A from doing anything but what app A was
designed to do. If there is an unknown remote exploit bug in, say PHP
that allows a crafty black-hat to do "evil things" SELinux will
effectively put those evil things in a tight sandbox. So even though PHP
can access a database it can be prevented from accessing the file
structure and a very deep level.

Think of SELinux as a process that chroots everything but allows outside
communication to occur down heavily guarded tunnels.

It is a royal PITA to work with :)
>   
> 
> -----Original Message-----
> From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On Behalf Of
> James P. Kinney III
> Sent: Thursday, May 03, 2007 8:55 AM
> To: Atlanta Linux Enthusiasts
> Subject: Re: [ale] virtualize a FC6 box to a vmware image
> 
> On Thu, 2007-05-03 at 08:44 -0400, Jeff Lightner wrote:
> > Programs have to be "aware of SELinux" rather than vice-versa?
> > 
> 
> Sort of. SELinux adds a small pile of extended attributes to each
> file/directory. Unless the app that is manipulating them at the low
> level "knows" SELinux, then those attributes will not get transferred.
> 
> tar doesn't speak SELinux so star was written (note: RedHat tar may
have
> the SELinux extensions backported - need to check...)
> 
> rsync does not know SELinux. So to do a _full_ copy, it will be needed
> to script in the final comparison of attributes and merge them to the
> off-site copy. Basically, the rsync will use the SELinux on the target
> machine. So if the source machine has settings that are different from
> the drop location on the target, they will be lost.
> 
> Grr.....
> 
> 
> >  
> > 
> >                                    
> >
______________________________________________________________________
> > From:ale-bounces at ale.org [mailto:ale-bounces at ale.org] On Behalf Of
> > Jerry Yu
> > Sent: Thursday, May 03, 2007 8:26 AM
> > To: Atlanta Linux Enthusiasts
> > Subject: Re: [ale] virtualize a FC6 box to a vmware image
> > 
> > 
> >  
> > 
> > this is pretty close to my own full backup+recovery steps. should I
> > assume rsync is not aware of SELinux attributes?
> > 
> > On 5/2/07, Brian Pitts <brian at polibyte.com> wrote:
> > 
> > Jerry Yu wrote:
> > > I have a FC6 box running wordpress. It became desirable to convert
> > it to 
> > > a vmware instance.  'vmware converter' and it asked me for domain
> > \user
> > > to convert a remote physical server?!   Any vmware (quick) way w/o
> > > doing  full backup & restore I usually do?
> > 
> > I don't think the vmware converter supports linux. Take a look at
> > http://www.vmware.com/community/thread.jspa?threadID=82173&tstart=0.
> > They recommend something like
> > 
> > - Enable ssh access in the source system
> > - Create a vm for the target system
> > - Boot the vm with a linux live-cd (System Rescue CD or RIP are
light
> > ones)
> > - Setup the network in the vm as usual 
> > - mount the virtual hd destination partition. Eg.
> > mount /dev/hda /mnt/dest
> > - rsync -av --numeric-ids --exclude=/dev,/proc,/sys
> > root at ip-source:/dev/hd(source-partition)/ /mnt/dest/
> > - mkdir /mnt/dest/{dev,proc,sys} 
> > - adjust the bootloader and fstab of the virtual system to reflect
the
> > new root
> > - umount /mnt/dest
> > - reboot vm
> > 
> > -Brian
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://www.ale.org/mailman/listinfo/ale
> > 
> > 
> >  
> > 
> > 
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://www.ale.org/mailman/listinfo/ale
-- 
James P. Kinney III          
CEO & Director of Engineering 
Local Net Solutions,LLC        
770-493-8244                    
http://www.localnetsolutions.com

GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7



More information about the Ale mailing list