From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Thu, 24 Mar 2011 14:59:59 -0400
Subject: [refpolicy] Proxies
In-Reply-To: <201103241637.29259.russell@coker.com.au>
References: <201103241637.29259.russell@coker.com.au>
Message-ID: <4D8B94AF.7060404@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 03/24/11 01:37, Russell Coker wrote:
> http://dansguardian.org/
> 
> I'm thinking of writing a policy for Dans Guardian, is it worth having a 
> separate domain or should I run it in squid_t?  While it's not uncommon to run 
> both on the same server there seems little benefit in isolating them, 
> generally an attacker would get all the benefit that they are likely to get 
> from compromising just one of them.

I'd tend to go with a separate domain.  If you want to use squid and
dansguardian, you couldn't write a policy that would ensure that all the
traffic went though dansguardian if both services are in the same domain.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com