Selinux, because it is friday

Michael Scherer mscherer at redhat.com
Mon Jun 9 11:19:32 UTC 2014 

Le dimanche 08 juin 2014 à 02:47 -0400, Eyal Edri a écrit :
> 
> ----- Original Message -----
> > From: "David Caro" <dcaroest at redhat.com>
> > To: "Michael Scherer" <mscherer at redhat.com>
> > Cc: infra at ovirt.org
> > Sent: Friday, June 6, 2014 5:24:20 PM
> > Subject: Re: Selinux, because it is friday
> > 
> > On Fri 06 Jun 2014 04:06:00 PM CEST, Michael Scherer wrote:
> > > Hi again,
> > >
> > > while looking at servers, I also couldn't help noticing that selinux is
> > > either disabled or set as permissive on the few servers I looked, one
> > > even having auditd disabled.
> > >
> > > So I did enable auditd with the goal of collecting violation in
> > > audit.log ( aka AVC ), and I plan to look at them. I already started to
> > > fix a few violations showing up in the log.
> > >
> > > Sometime, this would just be enabling a boolean to configure selinux
> > > ( ie, enable some specific access ), sometime, it was just wrongly
> > > labelled file ( on monitoring.ovirt, mostly ).
> > >
> > > I do not plan to set selinux in enforcing mode before having check that
> > > there is no problem for a longer period of time, and of course, not if
> > > people think it is not wise. I also so far only propose to do that host
> > > by host, as I guess the jenkins ones may be more complex to limit.
> > >
> > > I wil report with what I foud and so we will discuss if we make the
> > > switch or not.
> > >
> 
> thanks for this effort michael! security is always important and sometimes unfourtunately
> gets pushed behind other urgents tasks.
> 
> after we've made sure enabling selinux doesn't break anything, can we ensure its set for all servers
> via puppet?

yes. 
Either by forcing the content of /etc/selinux/config, or with augeas.

I would even be more radical and make sure selinux is set to enforcing
with nagios i.e. get a alert if someone/something disable it.

> also - might worth opening a ticket in trac on it for tracking progress..

yep, good point.
-- 
Michael Scherer
Open Source and Standards, Sysadmin



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.ovirt.org/pipermail/infra/attachments/20140609/c83035d1/attachment.sig>

More information about the Infra mailing list