[ale] virtualize a FC6 box to a vmware image

Thompson Freeman tfreeman at intel.digichem.net
Thu May 3 13:37:37 EDT 2007


On 05/03/2007 09:23:31 AM, Jeff Lightner wrote:
> Well I grant I do a lot more security on external facing
> systems.  Of
> course with "defense in depth" being the new buzz we may
> all end up
> having to do SELinux even on internal systems.
> 
> It comes from the NSA so I fear the true meaning of SE is
> Spyware
> Embedded :p
> 

Cute commentary, but the lads (and ladys?) who developed it  
may take offense when hopefully none intended. SELinux is  
open source. Examine it.  Test it. And by all means turn it  
off/never start it if the addition is too big a PITA, or  
you can not bring yourself to trust it.

Ok. SELinux _is_ different, and I do not have any  
reasonable portion of my mind wrapped around it. I expect  
I'll get there someday, but someday is in the cloudy  
future. Meantime, the last release of Fedora seems to have  
gotten the rules setup so that it stays out of my way at  
the moment. Not so good from a learning perspective, much  
nicer from a usage perspective.

FWIW, there was a thread on the Fedora list some months  
back hasseling SELinux. As I recall, one of the developers  
was on the list at the time, and resented the presumption  
that they were out to do dirt on the community. ('Course I  
could be making that memory up, so feel free to check me).

> -----Original Message-----
> From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On
> Behalf Of
> James P. Kinney III
> Sent: Thursday, May 03, 2007 9:18 AM
> To: Atlanta Linux Enthusiasts
> Subject: Re: [ale] virtualize a FC6 box to a vmware image
> 
> On Thu, 2007-05-03 at 08:58 -0400, Jeff Lightner wrote:
> > Yet another good reason to turn off SELinux IMO.
> 
> well...
> 
> For an internal workstation, sure.  But for an
> external-facing web
> server, no. SELinux does a layer of security that is
> priceless. It
> monitors and prevents app A from doing anything but what
> app A was
> designed to do. If there is an unknown remote exploit bug
> in, say PHP
> that allows a crafty black-hat to do "evil things" SELinux
> will
> effectively put those evil things in a tight sandbox. So
> even though PHP
> can access a database it can be prevented from accessing
> the file
> structure and a very deep level.
> 
> Think of SELinux as a process that chroots everything but
> allows outside
> communication to occur down heavily guarded tunnels.
> 
> It is a royal PITA to work with :)
> >
> >
> > -----Original Message-----
> > From: ale-bounces at ale.org [mailto:ale-bounces at ale.org]
> On Behalf Of
> > James P. Kinney III
> > Sent: Thursday, May 03, 2007 8:55 AM
> > To: Atlanta Linux Enthusiasts
> > Subject: Re: [ale] virtualize a FC6 box to a vmware
> image
> >
> > On Thu, 2007-05-03 at 08:44 -0400, Jeff Lightner wrote:
> > > Programs have to be "aware of SELinux" rather than
> vice-versa?
> > >
> >
> > Sort of. SELinux adds a small pile of extended
> attributes to each
> > file/directory. Unless the app that is manipulating them
> at the low
> > level "knows" SELinux, then those attributes will not
> get transferred.
> >
> > tar doesn't speak SELinux so star was written (note:
> RedHat tar may
> have
> > the SELinux extensions backported - need to check...)
> >
> > rsync does not know SELinux. So to do a _full_ copy, it
> will be needed
> > to script in the final comparison of attributes and
> merge them to the
> > off-site copy. Basically, the rsync will use the SELinux
> on the target
> > machine. So if the source machine has settings that are
> different from
> > the drop location on the target, they will be lost.
> >
> > Grr.....
> >
> >
> > >
> > >
> > >
> > >
> ______________________________________________________________________
> > > From:ale-bounces at ale.org [mailto:ale-bounces at ale.org]
> On Behalf Of
> > > Jerry Yu
> > > Sent: Thursday, May 03, 2007 8:26 AM
> > > To: Atlanta Linux Enthusiasts
> > > Subject: Re: [ale] virtualize a FC6 box to a vmware
> image
> > >
> > >
> > >
> > >
> > > this is pretty close to my own full backup+recovery
> steps. should I
> > > assume rsync is not aware of SELinux attributes?
> > >
> > > On 5/2/07, Brian Pitts <brian at polibyte.com> wrote:
> > >
> > > Jerry Yu wrote:
> > > > I have a FC6 box running wordpress. It became
> desirable to convert
> > > it to
> > > > a vmware instance.  'vmware converter' and it asked
> me for domain
> > > \user
> > > > to convert a remote physical server?!   Any vmware
> (quick) way w/o
> > > > doing  full backup & restore I usually do?
> > >
> > > I don't think the vmware converter supports linux.
> Take a look at
> > >  
> http://www.vmware.com/community/thread.jspa?threadID=82173&tstart=0.
> > > They recommend something like
> > >
> > > - Enable ssh access in the source system
> > > - Create a vm for the target system
> > > - Boot the vm with a linux live-cd (System Rescue CD
> or RIP are
> light
> > > ones)
> > > - Setup the network in the vm as usual
> > > - mount the virtual hd destination partition. Eg.
> > > mount /dev/hda /mnt/dest
> > > - rsync -av --numeric-ids --exclude=/dev,/proc,/sys
> > > root at ip-source:/dev/hd(source-partition)/ /mnt/dest/
> > > - mkdir /mnt/dest/{dev,proc,sys}
> > > - adjust the bootloader and fstab of the virtual
> system to reflect
> the
> > > new root
> > > - umount /mnt/dest
> > > - reboot vm
> > >
> > > -Brian
> > > _______________________________________________
> > > Ale mailing list
> > > Ale at ale.org
> > > http://www.ale.org/mailman/listinfo/ale
> > >
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > Ale mailing list
> > > Ale at ale.org
> > > http://www.ale.org/mailman/listinfo/ale
> --
> James P. Kinney III
> CEO & Director of Engineering
> Local Net Solutions,LLC
> 770-493-8244
> http://www.localnetsolutions.com
> 
> GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
> <jkinney at localnetsolutions.com>
> Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C
> 6CA7
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
> 



More information about the Ale mailing list