--=-B1QCWkZPIAdKekvsZ0M2 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi again, while looking at servers, I also couldn't help noticing that selinux is either disabled or set as permissive on the few servers I looked, one even having auditd disabled.=20 So I did enable auditd with the goal of collecting violation in audit.log ( aka AVC ), and I plan to look at them. I already started to fix a few violations showing up in the log. Sometime, this would just be enabling a boolean to configure selinux ( ie, enable some specific access ), sometime, it was just wrongly labelled file ( on monitoring.ovirt, mostly ). I do not plan to set selinux in enforcing mode before having check that there is no problem for a longer period of time, and of course, not if people think it is not wise. I also so far only propose to do that host by host, as I guess the jenkins ones may be more complex to limit.=20 I wil report with what I foud and so we will discuss if we make the switch or not. --=20 Michael Scherer Open Source and Standards, Sysadmin --=-B1QCWkZPIAdKekvsZ0M2 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAABAgAGBQJTkcrIAAoJEE89Wa+PrSK90G8P/0Q4zssClKtRlkCFucZTVRsv Nlkxh1dGkT5s22rHtBCqo7kJqYC9SWIaCOfkQMtwW8Q/ubgh6CEEOSVdMAUOGFJt hIQUmT8MzuqQRDTfD6HjTpiKtVl1N5/qp3Bo/DPaDM5Y+4rWa/TuuytCL3qg8MEd 7JUT1+iQyt3cFn7zSi9w/vN0GYI3xlhZWXQ29JYu51UDCRE0gSRJlEfuiKmKGxQ7 cp80p+nP44nJ+J78wL1eXZVHP2+veBbYf2tiqjsnxeudNaf86eH+Pq5RAd+8H7cv 4kX3xZjWVc4pYdKLKcQNWPyMJJajZAYtEtx3HXexva+VRsMTnwbJ0MVYkdkmScYn 7YGx7swNHmK28SZDcmVH/2MhNN+pbNq8Ru0CLZYaBE6hJEizyHvF7Aws+QdbfKQn p8UJ6dPUHL45e+KPYSts9Taxzd+2G1oPjWxAyjW5ArMMM5uv8k3ZWgvbARospLlG qj3eH4gvCM3jUVcpHbAoNNPLUYXjqJr6SLA565e/+UIyNOITF7mRiTMQ9DgidNQS C18ccc2bmSeRo6lUrSoAYZJ0FndZRuCmu19xert8la3Wf5GjJAf/28xWsSmPlxw7 ZSPJQvitRJ6oC5+jn6CayPp4CsY8cf5DyP7z0ZCWWFwSrbREKQyRDrachn2xBNmf wOG4eP6wty5q1YEcYav3 =EDH0 -----END PGP SIGNATURE----- --=-B1QCWkZPIAdKekvsZ0M2--