From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Thu, 24 Mar 2011 14:59:59 -0400 Subject: [refpolicy] Proxies In-Reply-To: <201103241637.29259.russell@coker.com.au> References: <201103241637.29259.russell@coker.com.au> Message-ID: <4D8B94AF.7060404@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 03/24/11 01:37, Russell Coker wrote: > http://dansguardian.org/ > > I'm thinking of writing a policy for Dans Guardian, is it worth having a > separate domain or should I run it in squid_t? While it's not uncommon to run > both on the same server there seems little benefit in isolating them, > generally an attacker would get all the benefit that they are likely to get > from compromising just one of them. I'd tend to go with a separate domain. If you want to use squid and dansguardian, you couldn't write a policy that would ensure that all the traffic went though dansguardian if both services are in the same domain. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com