Le dimanche 08 juin 2014 =C3=A0 02:47 -0400, Eyal Edri a =C3=A9crit :
=20 ----- Original Message -----
From: "David Caro" <dcaroest@redhat.com> To: "Michael Scherer" <mscherer@redhat.com> Cc: infra@ovirt.org Sent: Friday, June 6, 2014 5:24:20 PM Subject: Re: Selinux, because it is friday =20 On Fri 06 Jun 2014 04:06:00 PM CEST, Michael Scherer wrote:
Hi again,
while looking at servers, I also couldn't help noticing that selinu= x is either disabled or set as permissive on the few servers I looked, o= ne even having auditd disabled.
So I did enable auditd with the goal of collecting violation in audit.log ( aka AVC ), and I plan to look at them. I already starte= d to fix a few violations showing up in the log.
Sometime, this would just be enabling a boolean to configure selinu= x ( ie, enable some specific access ), sometime, it was just wrongly labelled file ( on monitoring.ovirt, mostly ).
I do not plan to set selinux in enforcing mode before having check =
--=-xExZWk4wWaF93+5How8T Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Le lundi 09 juin 2014 =C3=A0 13:19 +0200, Michael Scherer a =C3=A9crit : that
there is no problem for a longer period of time, and of course, not= if people think it is not wise. I also so far only propose to do that = host by host, as I guess the jenkins ones may be more complex to limit.
I wil report with what I foud and so we will discuss if we make the switch or not.
=20 thanks for this effort michael! security is always important and someti= mes unfourtunately gets pushed behind other urgents tasks. =20 after we've made sure enabling selinux doesn't break anything, can we e= nsure its set for all servers via puppet? =20 yes.=20 Either by forcing the content of /etc/selinux/config, or with augeas. =20 I would even be more radical and make sure selinux is set to enforcing with nagios i.e. get a alert if someone/something disable it. =20 also - might worth opening a ticket in trac on it for tracking progress= .. =20 yep, good point.
https://fedorahosted.org/ovirt/ticket/158 I am completing the ticket with what we discuss=20 --=20 Michael Scherer Open Source and Standards, Sysadmin --=-xExZWk4wWaF93+5How8T Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAABAgAGBQJTlZqvAAoJEE89Wa+PrSK9IIoQAJgm+hOwFkQ5bNPSxZ5/KQum UzLueIWMUf1WJYhlHB6iHUCOS8Wm0yfuFZd1r9IK9nqtZ09i8Uuqofn/3aor7GEg VbwcnzqV7aNXJB6fwsQdm1h2p280elwXY5ED1TekRmsnY+cmSEce8Zsgpc40Usq6 uosLLRR0wqdl9pMYaN5k4cS/mNARLqBfWQK3MQRAslQZ12oOON48INe0HMrTqT/v DBS9FFOI0zICb1fI+r8Z1zxeg1I7kQdrS0Dz5GMc7YtBqx7WUw0Drz4HJuwYEpbx 5g7XOKFgh859ZvJKv0OPYI+pV//PO58UcJUSxtw6zbo7AylN+p1Gp6obANkOya2A XqHijdKW/VBPFqVIVFwZbeE3eNopVucyx7RzpqQe0ra95EfiFLJBoCwdxhiDilvS q+N0G7UL+EtgSKODzDa/VBlH2oWag8VZe+7mtJ3snLyA8IDJjYAzaHVMLQfYD7yS 1Kltq4xmgRNDGLFKI0isu87CxGLWW+1258VCXe7AmW/VSTRmWVlg/xH1eIS1DS1r sPaKYcYUQqX6IJGlxynI8J3iHxy2BzhDQa1EEiGR5mPD1jtKt+xhbZqOYVAjgurM 5RypjVE+TxJeo2aiWyb097LlNDMt89R8JG54GeoRxlrpYcB61z0YFdnc5FFMILHn vjJTdqbF6krxPhLZm2/z =jlDs -----END PGP SIGNATURE----- --=-xExZWk4wWaF93+5How8T--