Selinux, because it is friday

--=-B1QCWkZPIAdKekvsZ0M2 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi again, while looking at servers, I also couldn't help noticing that selinux is either disabled or set as permissive on the few servers I looked, one even having auditd disabled.=20 So I did enable auditd with the goal of collecting violation in audit.log ( aka AVC ), and I plan to look at them. I already started to fix a few violations showing up in the log. Sometime, this would just be enabling a boolean to configure selinux ( ie, enable some specific access ), sometime, it was just wrongly labelled file ( on monitoring.ovirt, mostly ). I do not plan to set selinux in enforcing mode before having check that there is no problem for a longer period of time, and of course, not if people think it is not wise. I also so far only propose to do that host by host, as I guess the jenkins ones may be more complex to limit.=20 I wil report with what I foud and so we will discuss if we make the switch or not. --=20 Michael Scherer Open Source and Standards, Sysadmin --=-B1QCWkZPIAdKekvsZ0M2 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAABAgAGBQJTkcrIAAoJEE89Wa+PrSK90G8P/0Q4zssClKtRlkCFucZTVRsv Nlkxh1dGkT5s22rHtBCqo7kJqYC9SWIaCOfkQMtwW8Q/ubgh6CEEOSVdMAUOGFJt hIQUmT8MzuqQRDTfD6HjTpiKtVl1N5/qp3Bo/DPaDM5Y+4rWa/TuuytCL3qg8MEd 7JUT1+iQyt3cFn7zSi9w/vN0GYI3xlhZWXQ29JYu51UDCRE0gSRJlEfuiKmKGxQ7 cp80p+nP44nJ+J78wL1eXZVHP2+veBbYf2tiqjsnxeudNaf86eH+Pq5RAd+8H7cv 4kX3xZjWVc4pYdKLKcQNWPyMJJajZAYtEtx3HXexva+VRsMTnwbJ0MVYkdkmScYn 7YGx7swNHmK28SZDcmVH/2MhNN+pbNq8Ru0CLZYaBE6hJEizyHvF7Aws+QdbfKQn p8UJ6dPUHL45e+KPYSts9Taxzd+2G1oPjWxAyjW5ArMMM5uv8k3ZWgvbARospLlG qj3eH4gvCM3jUVcpHbAoNNPLUYXjqJr6SLA565e/+UIyNOITF7mRiTMQ9DgidNQS C18ccc2bmSeRo6lUrSoAYZJ0FndZRuCmu19xert8la3Wf5GjJAf/28xWsSmPlxw7 ZSPJQvitRJ6oC5+jn6CayPp4CsY8cf5DyP7z0ZCWWFwSrbREKQyRDrachn2xBNmf wOG4eP6wty5q1YEcYav3 =EDH0 -----END PGP SIGNATURE----- --=-B1QCWkZPIAdKekvsZ0M2--

This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --J4C6qpiwNtupr3TkrEwmdDcj1KFnlcWTG Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Fri 06 Jun 2014 04:06:00 PM CEST, Michael Scherer wrote:
Hi again,
while looking at servers, I also couldn't help noticing that selinux is=
either disabled or set as permissive on the few servers I looked, one even having auditd disabled.
So I did enable auditd with the goal of collecting violation in audit.log ( aka AVC ), and I plan to look at them. I already started to=
fix a few violations showing up in the log.
Sometime, this would just be enabling a boolean to configure selinux ( ie, enable some specific access ), sometime, it was just wrongly labelled file ( on monitoring.ovirt, mostly ).
I do not plan to set selinux in enforcing mode before having check that=
there is no problem for a longer period of time, and of course, not if people think it is not wise. I also so far only propose to do that host=
by host, as I guess the jenkins ones may be more complex to limit.
I wil report with what I foud and so we will discuss if we make the switch or not.
_______________________________________________ Infra mailing list Infra@ovirt.org http://lists.ovirt.org/mailman/listinfo/infra
Thanks michael! -- David Caro Red Hat S.L. Continuous Integration Engineer - EMEA ENG Virtualization R&D Email: dcaro@redhat.com Web: www.redhat.com RHT Global #: 82-62605 --J4C6qpiwNtupr3TkrEwmdDcj1KFnlcWTG Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJTkc8UAAoJEEBxx+HSYmnDvtQH/iPS7EuzQMuZNsC2zZ5ATST/ R3MafpkVTD8p3M0dM89cmFHLbCplf2DduP0I1d8J7B+5yUJbnxPqbCME6zejfOOn JqQMRhWNWTXUpHvqRLDxglQByu2MXaB+7DpKAm0CRSWsFMmgwOyxmhJF55rVCfjS VfcanK0gdKyGQckd2U+0Bxfwy6d9pD2Vy3gPlP5P8MxXf+TMj8kXpqu9YJ4KtjJx fbBGP1YmJGZ2iQCoipHencMVJwUGiY+lLCh2MixL81dxFRN49TkGYldCMfCaQNiR 1PdCxbJ7PHuk3Zdm+pnMWzfJQuIp06cjc/chBjN7EDH5hcndopezK1LhwzSc5XI= =uarV -----END PGP SIGNATURE----- --J4C6qpiwNtupr3TkrEwmdDcj1KFnlcWTG--

----- Original Message -----
From: "David Caro" <dcaroest@redhat.com> To: "Michael Scherer" <mscherer@redhat.com> Cc: infra@ovirt.org Sent: Friday, June 6, 2014 5:24:20 PM Subject: Re: Selinux, because it is friday
On Fri 06 Jun 2014 04:06:00 PM CEST, Michael Scherer wrote:
Hi again,
while looking at servers, I also couldn't help noticing that selinux is either disabled or set as permissive on the few servers I looked, one even having auditd disabled.
So I did enable auditd with the goal of collecting violation in audit.log ( aka AVC ), and I plan to look at them. I already started to fix a few violations showing up in the log.
Sometime, this would just be enabling a boolean to configure selinux ( ie, enable some specific access ), sometime, it was just wrongly labelled file ( on monitoring.ovirt, mostly ).
I do not plan to set selinux in enforcing mode before having check that there is no problem for a longer period of time, and of course, not if people think it is not wise. I also so far only propose to do that host by host, as I guess the jenkins ones may be more complex to limit.
I wil report with what I foud and so we will discuss if we make the switch or not.
thanks for this effort michael! security is always important and sometimes unfourtunately gets pushed behind other urgents tasks. after we've made sure enabling selinux doesn't break anything, can we ensure its set for all servers via puppet? also - might worth opening a ticket in trac on it for tracking progress.. eyal.
_______________________________________________ Infra mailing list Infra@ovirt.org http://lists.ovirt.org/mailman/listinfo/infra
Thanks michael! -- David Caro
Red Hat S.L. Continuous Integration Engineer - EMEA ENG Virtualization R&D
Email: dcaro@redhat.com Web: www.redhat.com RHT Global #: 82-62605
_______________________________________________ Infra mailing list Infra@ovirt.org http://lists.ovirt.org/mailman/listinfo/infra

--=-xQeCrZfSJEdLhIze4mUY Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Le dimanche 08 juin 2014 =C3=A0 02:47 -0400, Eyal Edri a =C3=A9crit :
From: "David Caro" <dcaroest@redhat.com> To: "Michael Scherer" <mscherer@redhat.com> Cc: infra@ovirt.org Sent: Friday, June 6, 2014 5:24:20 PM Subject: Re: Selinux, because it is friday =20 On Fri 06 Jun 2014 04:06:00 PM CEST, Michael Scherer wrote:
Hi again,
while looking at servers, I also couldn't help noticing that selinux = is either disabled or set as permissive on the few servers I looked, one even having auditd disabled.
So I did enable auditd with the goal of collecting violation in audit.log ( aka AVC ), and I plan to look at them. I already started = to fix a few violations showing up in the log.
Sometime, this would just be enabling a boolean to configure selinux ( ie, enable some specific access ), sometime, it was just wrongly labelled file ( on monitoring.ovirt, mostly ).
I do not plan to set selinux in enforcing mode before having check th= at there is no problem for a longer period of time, and of course, not i= f people think it is not wise. I also so far only propose to do that ho= st by host, as I guess the jenkins ones may be more complex to limit.
I wil report with what I foud and so we will discuss if we make the switch or not.
=20
=20 ----- Original Message ----- thanks for this effort michael! security is always important and sometime= s unfourtunately gets pushed behind other urgents tasks. =20 after we've made sure enabling selinux doesn't break anything, can we ens= ure its set for all servers via puppet?
yes.=20 Either by forcing the content of /etc/selinux/config, or with augeas. I would even be more radical and make sure selinux is set to enforcing with nagios i.e. get a alert if someone/something disable it.
also - might worth opening a ticket in trac on it for tracking progress..
yep, good point. --=20 Michael Scherer Open Source and Standards, Sysadmin --=-xQeCrZfSJEdLhIze4mUY Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAABAgAGBQJTlZhEAAoJEE89Wa+PrSK92IAP/Arpn5pPeC6QYMYn57DE42pr pAt08DXYGy3d+WxNKywDCEGJJFZGXMHSIyOe9+4gtmj0thltvLGF6kI5NnGfR2yh drObwDGAkY6usRqL6iOAWc2a+zxqEgiddvTFaDghivcgIioNAn3jllDalMtBHNtJ 2Ke/SGOMtkR+ls630WMsXTnwD3znFdMriYBGviVWM26TpVGQMrEHnWlHSAgSlrtH qLTjBfRDIV/x633esfx6cf8LOSQSS06aJ/DSS0iWBw7B96OEyITXTdNdyi9VB5I3 0ku/gE6iJIyLmBQVL6tA+bU1kOhm2yRvd7pS+9ms/zdRBmtnIrON9ycQYHux/Cvm DbJGROBSI6aDt3YwnWdfDhZcVqW/DGIaJZ4ztkGZ04J4usV8/TkouQgJ04tF5cR5 QQM6UPR05sbQ4C46NkQxj4aELaof6LRy/4x7fbGRPlWm23/nYAn0ngKQtGX7V40g fw2Syr7RvHOTOSS0bsW0l6SZVsDLtzZCbhKQ4o7Tf+jvGFL4HPrcCNjqeSbxxivN 1/qLWABJqRq47DNVysyz5Wk0co9JeaNFJrUhVRHd+X/wu/ea0/AHmaQTxTNtXbBD YcagUeUYqCq03ggXMxqE2Y6ZvFFOvIaI+sqDKTwWSHkS+B7rR3P2BcX0efhJCvFN nOvArpd1jezW5NjT4yzl =lKxW -----END PGP SIGNATURE----- --=-xQeCrZfSJEdLhIze4mUY--

Le dimanche 08 juin 2014 =C3=A0 02:47 -0400, Eyal Edri a =C3=A9crit :
=20 ----- Original Message -----
From: "David Caro" <dcaroest@redhat.com> To: "Michael Scherer" <mscherer@redhat.com> Cc: infra@ovirt.org Sent: Friday, June 6, 2014 5:24:20 PM Subject: Re: Selinux, because it is friday =20 On Fri 06 Jun 2014 04:06:00 PM CEST, Michael Scherer wrote:
Hi again,
while looking at servers, I also couldn't help noticing that selinu= x is either disabled or set as permissive on the few servers I looked, o= ne even having auditd disabled.
So I did enable auditd with the goal of collecting violation in audit.log ( aka AVC ), and I plan to look at them. I already starte= d to fix a few violations showing up in the log.
Sometime, this would just be enabling a boolean to configure selinu= x ( ie, enable some specific access ), sometime, it was just wrongly labelled file ( on monitoring.ovirt, mostly ).
I do not plan to set selinux in enforcing mode before having check =
--=-xExZWk4wWaF93+5How8T Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Le lundi 09 juin 2014 =C3=A0 13:19 +0200, Michael Scherer a =C3=A9crit : that
there is no problem for a longer period of time, and of course, not= if people think it is not wise. I also so far only propose to do that = host by host, as I guess the jenkins ones may be more complex to limit.
I wil report with what I foud and so we will discuss if we make the switch or not.
=20 thanks for this effort michael! security is always important and someti= mes unfourtunately gets pushed behind other urgents tasks. =20 after we've made sure enabling selinux doesn't break anything, can we e= nsure its set for all servers via puppet? =20 yes.=20 Either by forcing the content of /etc/selinux/config, or with augeas. =20 I would even be more radical and make sure selinux is set to enforcing with nagios i.e. get a alert if someone/something disable it. =20 also - might worth opening a ticket in trac on it for tracking progress= .. =20 yep, good point.
https://fedorahosted.org/ovirt/ticket/158 I am completing the ticket with what we discuss=20 --=20 Michael Scherer Open Source and Standards, Sysadmin --=-xExZWk4wWaF93+5How8T Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAABAgAGBQJTlZqvAAoJEE89Wa+PrSK9IIoQAJgm+hOwFkQ5bNPSxZ5/KQum UzLueIWMUf1WJYhlHB6iHUCOS8Wm0yfuFZd1r9IK9nqtZ09i8Uuqofn/3aor7GEg VbwcnzqV7aNXJB6fwsQdm1h2p280elwXY5ED1TekRmsnY+cmSEce8Zsgpc40Usq6 uosLLRR0wqdl9pMYaN5k4cS/mNARLqBfWQK3MQRAslQZ12oOON48INe0HMrTqT/v DBS9FFOI0zICb1fI+r8Z1zxeg1I7kQdrS0Dz5GMc7YtBqx7WUw0Drz4HJuwYEpbx 5g7XOKFgh859ZvJKv0OPYI+pV//PO58UcJUSxtw6zbo7AylN+p1Gp6obANkOya2A XqHijdKW/VBPFqVIVFwZbeE3eNopVucyx7RzpqQe0ra95EfiFLJBoCwdxhiDilvS q+N0G7UL+EtgSKODzDa/VBlH2oWag8VZe+7mtJ3snLyA8IDJjYAzaHVMLQfYD7yS 1Kltq4xmgRNDGLFKI0isu87CxGLWW+1258VCXe7AmW/VSTRmWVlg/xH1eIS1DS1r sPaKYcYUQqX6IJGlxynI8J3iHxy2BzhDQa1EEiGR5mPD1jtKt+xhbZqOYVAjgurM 5RypjVE+TxJeo2aiWyb097LlNDMt89R8JG54GeoRxlrpYcB61z0YFdnc5FFMILHn vjJTdqbF6krxPhLZm2/z =jlDs -----END PGP SIGNATURE----- --=-xExZWk4wWaF93+5How8T--
participants (3)
-
David Caro
-
Eyal Edri
-
Michael Scherer