Re: Selinux, because it is friday
----- Original Message -----
From: "David Caro" <dcaroest(a)redhat.com>
To: "Michael Scherer" <mscherer(a)redhat.com>
Cc: infra(a)ovirt.org
Sent: Friday, June 6, 2014 5:24:20 PM
Subject: Re: Selinux, because it is friday
On Fri 06 Jun 2014 04:06:00 PM CEST, Michael Scherer wrote:
> Hi again,
>
> while looking at servers, I also couldn't help noticing that selinux is
> either disabled or set as permissive on the few servers I looked, one
> even having auditd disabled.
>
> So I did enable auditd with the goal of collecting violation in
> audit.log ( aka AVC ), and I plan to look at them. I already started to
> fix a few violations showing up in the log.
>
> Sometime, this would just be enabling a boolean to configure selinux
> ( ie, enable some specific access ), sometime, it was just wrongly
> labelled file ( on monitoring.ovirt, mostly ).
>
> I do not plan to set selinux in enforcing mode before having check that
> there is no problem for a longer period of time, and of course, not if
> people think it is not wise. I also so far only propose to do that host
> by host, as I guess the jenkins ones may be more complex to limit.
>
> I wil report with what I foud and so we will discuss if we make the
> switch or not.
>
thanks for this effort michael! security is always important and sometimes unfourtunately
gets pushed behind other urgents tasks.
after we've made sure enabling selinux doesn't break anything, can we ensure its
set for all servers
via puppet?
also - might worth opening a ticket in trac on it for tracking progress..
eyal.
>
> _______________________________________________
> Infra mailing list
> Infra(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/infra
Thanks michael!
--
David Caro
Red Hat S.L.
Continuous Integration Engineer - EMEA ENG Virtualization R&D
Email: dcaro(a)redhat.com
Web: www.redhat.com
RHT Global #: 82-62605
_______________________________________________
Infra mailing list
Infra(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/infra