1:19 p.m.
--=-xQeCrZfSJEdLhIze4mUY
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Le dimanche 08 juin 2014 =C3=A0 02:47 -0400, Eyal Edri a =C3=A9crit :
=20
----- Original Message -----
> From: "David Caro" <dcaroest(a)redhat.com>
> To: "Michael Scherer" <mscherer(a)redhat.com>
> Cc: infra(a)ovirt.org
> Sent: Friday, June 6, 2014 5:24:20 PM
> Subject: Re: Selinux, because it is friday
>=20
> On Fri 06 Jun 2014 04:06:00 PM CEST, Michael Scherer wrote:
> > Hi again,
> >
> > while looking at servers, I also couldn't help noticing that selinux =
is
> > either disabled or set as permissive on the few servers I
looked, one
> > even having auditd disabled.
> >
> > So I did enable auditd with the goal of collecting violation in
> > audit.log ( aka AVC ), and I plan to look at them. I already started =
to
> > fix a few violations showing up in the log.
> >
> > Sometime, this would just be enabling a boolean to configure selinux
> > ( ie, enable some specific access ), sometime, it was just wrongly
> > labelled file ( on monitoring.ovirt, mostly ).
> >
> > I do not plan to set selinux in enforcing mode before having check th=
at
> > there is no problem for a longer period of time, and of
course, not i=
f
> > people think it is not wise. I also so far only propose to
do that ho=
st
> > by host, as I guess the jenkins ones may be more complex to
limit.
> >
> > I wil report with what I foud and so we will discuss if we make the
> > switch or not.
> >
=20
thanks for this effort michael! security is always important and sometime=
s
unfourtunately
gets pushed behind other urgents tasks.
=20
after we've made sure enabling selinux doesn't break anything, can we ens=
ure its set for all servers
via puppet?
yes.=20
Either by forcing the content of /etc/selinux/config, or with augeas.
I would even be more radical and make sure selinux is set to enforcing
with nagios i.e. get a alert if someone/something disable it.
also - might worth opening a ticket in trac on it for tracking
progress..
yep, good point.
--=20
Michael Scherer
Open Source and Standards, Sysadmin
--=-xQeCrZfSJEdLhIze4mUY
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAABAgAGBQJTlZhEAAoJEE89Wa+PrSK92IAP/Arpn5pPeC6QYMYn57DE42pr
pAt08DXYGy3d+WxNKywDCEGJJFZGXMHSIyOe9+4gtmj0thltvLGF6kI5NnGfR2yh
drObwDGAkY6usRqL6iOAWc2a+zxqEgiddvTFaDghivcgIioNAn3jllDalMtBHNtJ
2Ke/SGOMtkR+ls630WMsXTnwD3znFdMriYBGviVWM26TpVGQMrEHnWlHSAgSlrtH
qLTjBfRDIV/x633esfx6cf8LOSQSS06aJ/DSS0iWBw7B96OEyITXTdNdyi9VB5I3
0ku/gE6iJIyLmBQVL6tA+bU1kOhm2yRvd7pS+9ms/zdRBmtnIrON9ycQYHux/Cvm
DbJGROBSI6aDt3YwnWdfDhZcVqW/DGIaJZ4ztkGZ04J4usV8/TkouQgJ04tF5cR5
QQM6UPR05sbQ4C46NkQxj4aELaof6LRy/4x7fbGRPlWm23/nYAn0ngKQtGX7V40g
fw2Syr7RvHOTOSS0bsW0l6SZVsDLtzZCbhKQ4o7Tf+jvGFL4HPrcCNjqeSbxxivN
1/qLWABJqRq47DNVysyz5Wk0co9JeaNFJrUhVRHd+X/wu/ea0/AHmaQTxTNtXbBD
YcagUeUYqCq03ggXMxqE2Y6ZvFFOvIaI+sqDKTwWSHkS+B7rR3P2BcX0efhJCvFN
nOvArpd1jezW5NjT4yzl
=lKxW
-----END PGP SIGNATURE-----
--=-xQeCrZfSJEdLhIze4mUY--