[ale] virtualize a FC6 box to a vmware image

James P. Kinney III jkinney at localnetsolutions.com
Thu May 3 09:18:25 EDT 2007


On Thu, 2007-05-03 at 08:58 -0400, Jeff Lightner wrote:
> Yet another good reason to turn off SELinux IMO. 

well...

For an internal workstation, sure.  But for an external-facing web
server, no. SELinux does a layer of security that is priceless. It
monitors and prevents app A from doing anything but what app A was
designed to do. If there is an unknown remote exploit bug in, say PHP
that allows a crafty black-hat to do "evil things" SELinux will
effectively put those evil things in a tight sandbox. So even though PHP
can access a database it can be prevented from accessing the file
structure and a very deep level.

Think of SELinux as a process that chroots everything but allows outside
communication to occur down heavily guarded tunnels.

It is a royal PITA to work with :)
>   
> 
> -----Original Message-----
> From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On Behalf Of
> James P. Kinney III
> Sent: Thursday, May 03, 2007 8:55 AM
> To: Atlanta Linux Enthusiasts
> Subject: Re: [ale] virtualize a FC6 box to a vmware image
> 
> On Thu, 2007-05-03 at 08:44 -0400, Jeff Lightner wrote:
> > Programs have to be "aware of SELinux" rather than vice-versa?
> > 
> 
> Sort of. SELinux adds a small pile of extended attributes to each
> file/directory. Unless the app that is manipulating them at the low
> level "knows" SELinux, then those attributes will not get transferred.
> 
> tar doesn't speak SELinux so star was written (note: RedHat tar may have
> the SELinux extensions backported - need to check...)
> 
> rsync does not know SELinux. So to do a _full_ copy, it will be needed
> to script in the final comparison of attributes and merge them to the
> off-site copy. Basically, the rsync will use the SELinux on the target
> machine. So if the source machine has settings that are different from
> the drop location on the target, they will be lost.
> 
> Grr.....
> 
> 
> >  
> > 
> >                                    
> > ______________________________________________________________________
> > From:ale-bounces at ale.org [mailto:ale-bounces at ale.org] On Behalf Of
> > Jerry Yu
> > Sent: Thursday, May 03, 2007 8:26 AM
> > To: Atlanta Linux Enthusiasts
> > Subject: Re: [ale] virtualize a FC6 box to a vmware image
> > 
> > 
> >  
> > 
> > this is pretty close to my own full backup+recovery steps. should I
> > assume rsync is not aware of SELinux attributes?
> > 
> > On 5/2/07, Brian Pitts <brian at polibyte.com> wrote:
> > 
> > Jerry Yu wrote:
> > > I have a FC6 box running wordpress. It became desirable to convert
> > it to 
> > > a vmware instance.  'vmware converter' and it asked me for domain
> > \user
> > > to convert a remote physical server?!   Any vmware (quick) way w/o
> > > doing  full backup & restore I usually do?
> > 
> > I don't think the vmware converter supports linux. Take a look at
> > http://www.vmware.com/community/thread.jspa?threadID=82173&tstart=0.
> > They recommend something like
> > 
> > - Enable ssh access in the source system
> > - Create a vm for the target system
> > - Boot the vm with a linux live-cd (System Rescue CD or RIP are light
> > ones)
> > - Setup the network in the vm as usual 
> > - mount the virtual hd destination partition. Eg.
> > mount /dev/hda /mnt/dest
> > - rsync -av --numeric-ids --exclude=/dev,/proc,/sys
> > root at ip-source:/dev/hd(source-partition)/ /mnt/dest/
> > - mkdir /mnt/dest/{dev,proc,sys} 
> > - adjust the bootloader and fstab of the virtual system to reflect the
> > new root
> > - umount /mnt/dest
> > - reboot vm
> > 
> > -Brian
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://www.ale.org/mailman/listinfo/ale
> > 
> > 
> >  
> > 
> > 
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://www.ale.org/mailman/listinfo/ale
-- 
James P. Kinney III          
CEO & Director of Engineering 
Local Net Solutions,LLC        
770-493-8244                    
http://www.localnetsolutions.com

GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part




More information about the Ale mailing list