2:29 p.m.
--=-xExZWk4wWaF93+5How8T
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Le lundi 09 juin 2014 =C3=A0 13:19 +0200, Michael Scherer a =C3=A9crit :
Le dimanche 08 juin 2014 =C3=A0 02:47 -0400, Eyal Edri a =C3=A9crit
:
>=20
> ----- Original Message -----
> > From: "David Caro" <dcaroest(a)redhat.com>
> > To: "Michael Scherer" <mscherer(a)redhat.com>
> > Cc: infra(a)ovirt.org
> > Sent: Friday, June 6, 2014 5:24:20 PM
> > Subject: Re: Selinux, because it is friday
> >=20
> > On Fri 06 Jun 2014 04:06:00 PM CEST, Michael Scherer wrote:
> > > Hi again,
> > >
> > > while looking at servers, I also couldn't help noticing that selinu=
x is
> > > either disabled or set as permissive on the few
servers I looked, o=
ne
> > > even having auditd disabled.
> > >
> > > So I did enable auditd with the goal of collecting violation in
> > > audit.log ( aka AVC ), and I plan to look at them. I already starte=
d to
> > > fix a few violations showing up in the log.
> > >
> > > Sometime, this would just be enabling a boolean to configure selinu=
x
> > > ( ie, enable some specific access ), sometime, it was
just wrongly
> > > labelled file ( on monitoring.ovirt, mostly ).
> > >
> > > I do not plan to set selinux in enforcing mode before having check =
that
> > > there is no problem for a longer period of time, and
of course, not=
if
> > > people think it is not wise. I also so far only
propose to do that =
host
> > > by host, as I guess the jenkins ones may be more
complex to limit.
> > >
> > > I wil report with what I foud and so we will discuss if we make the
> > > switch or not.
> > >
>=20
> thanks for this effort michael! security is always important and someti=
mes
unfourtunately
> gets pushed behind other urgents tasks.
>=20
> after we've made sure enabling selinux doesn't break anything, can we e=
nsure its set for all servers
> via puppet?
=20
yes.=20
Either by forcing the content of /etc/selinux/config, or with augeas.
=20
I would even be more radical and make sure selinux is set to enforcing
with nagios i.e. get a alert if someone/something disable it.
=20
> also - might worth opening a ticket in trac on it for tracking progress=
..
=20
yep, good point.
https://fedorahosted.org/ovirt/ticket/158
I am completing the ticket
with what we discuss=20
--=20
Michael Scherer
Open Source and Standards, Sysadmin
--=-xExZWk4wWaF93+5How8T
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAABAgAGBQJTlZqvAAoJEE89Wa+PrSK9IIoQAJgm+hOwFkQ5bNPSxZ5/KQum
UzLueIWMUf1WJYhlHB6iHUCOS8Wm0yfuFZd1r9IK9nqtZ09i8Uuqofn/3aor7GEg
VbwcnzqV7aNXJB6fwsQdm1h2p280elwXY5ED1TekRmsnY+cmSEce8Zsgpc40Usq6
uosLLRR0wqdl9pMYaN5k4cS/mNARLqBfWQK3MQRAslQZ12oOON48INe0HMrTqT/v
DBS9FFOI0zICb1fI+r8Z1zxeg1I7kQdrS0Dz5GMc7YtBqx7WUw0Drz4HJuwYEpbx
5g7XOKFgh859ZvJKv0OPYI+pV//PO58UcJUSxtw6zbo7AylN+p1Gp6obANkOya2A
XqHijdKW/VBPFqVIVFwZbeE3eNopVucyx7RzpqQe0ra95EfiFLJBoCwdxhiDilvS
q+N0G7UL+EtgSKODzDa/VBlH2oWag8VZe+7mtJ3snLyA8IDJjYAzaHVMLQfYD7yS
1Kltq4xmgRNDGLFKI0isu87CxGLWW+1258VCXe7AmW/VSTRmWVlg/xH1eIS1DS1r
sPaKYcYUQqX6IJGlxynI8J3iHxy2BzhDQa1EEiGR5mPD1jtKt+xhbZqOYVAjgurM
5RypjVE+TxJeo2aiWyb097LlNDMt89R8JG54GeoRxlrpYcB61z0YFdnc5FFMILHn
vjJTdqbF6krxPhLZm2/z
=jlDs
-----END PGP SIGNATURE-----
--=-xExZWk4wWaF93+5How8T--