--=-xQeCrZfSJEdLhIze4mUY Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Le dimanche 08 juin 2014 =C3=A0 02:47 -0400, Eyal Edri a =C3=A9crit :
From: "David Caro" <dcaroest@redhat.com> To: "Michael Scherer" <mscherer@redhat.com> Cc: infra@ovirt.org Sent: Friday, June 6, 2014 5:24:20 PM Subject: Re: Selinux, because it is friday =20 On Fri 06 Jun 2014 04:06:00 PM CEST, Michael Scherer wrote:
Hi again,
while looking at servers, I also couldn't help noticing that selinux = is either disabled or set as permissive on the few servers I looked, one even having auditd disabled.
So I did enable auditd with the goal of collecting violation in audit.log ( aka AVC ), and I plan to look at them. I already started = to fix a few violations showing up in the log.
Sometime, this would just be enabling a boolean to configure selinux ( ie, enable some specific access ), sometime, it was just wrongly labelled file ( on monitoring.ovirt, mostly ).
I do not plan to set selinux in enforcing mode before having check th= at there is no problem for a longer period of time, and of course, not i= f people think it is not wise. I also so far only propose to do that ho= st by host, as I guess the jenkins ones may be more complex to limit.
I wil report with what I foud and so we will discuss if we make the switch or not.
=20
=20 ----- Original Message ----- thanks for this effort michael! security is always important and sometime= s unfourtunately gets pushed behind other urgents tasks. =20 after we've made sure enabling selinux doesn't break anything, can we ens= ure its set for all servers via puppet?
yes.=20 Either by forcing the content of /etc/selinux/config, or with augeas. I would even be more radical and make sure selinux is set to enforcing with nagios i.e. get a alert if someone/something disable it.
also - might worth opening a ticket in trac on it for tracking progress..
yep, good point. --=20 Michael Scherer Open Source and Standards, Sysadmin --=-xQeCrZfSJEdLhIze4mUY Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAABAgAGBQJTlZhEAAoJEE89Wa+PrSK92IAP/Arpn5pPeC6QYMYn57DE42pr pAt08DXYGy3d+WxNKywDCEGJJFZGXMHSIyOe9+4gtmj0thltvLGF6kI5NnGfR2yh drObwDGAkY6usRqL6iOAWc2a+zxqEgiddvTFaDghivcgIioNAn3jllDalMtBHNtJ 2Ke/SGOMtkR+ls630WMsXTnwD3znFdMriYBGviVWM26TpVGQMrEHnWlHSAgSlrtH qLTjBfRDIV/x633esfx6cf8LOSQSS06aJ/DSS0iWBw7B96OEyITXTdNdyi9VB5I3 0ku/gE6iJIyLmBQVL6tA+bU1kOhm2yRvd7pS+9ms/zdRBmtnIrON9ycQYHux/Cvm DbJGROBSI6aDt3YwnWdfDhZcVqW/DGIaJZ4ztkGZ04J4usV8/TkouQgJ04tF5cR5 QQM6UPR05sbQ4C46NkQxj4aELaof6LRy/4x7fbGRPlWm23/nYAn0ngKQtGX7V40g fw2Syr7RvHOTOSS0bsW0l6SZVsDLtzZCbhKQ4o7Tf+jvGFL4HPrcCNjqeSbxxivN 1/qLWABJqRq47DNVysyz5Wk0co9JeaNFJrUhVRHd+X/wu/ea0/AHmaQTxTNtXbBD YcagUeUYqCq03ggXMxqE2Y6ZvFFOvIaI+sqDKTwWSHkS+B7rR3P2BcX0efhJCvFN nOvArpd1jezW5NjT4yzl =lKxW -----END PGP SIGNATURE----- --=-xQeCrZfSJEdLhIze4mUY--