5:06 p.m.
--=-B1QCWkZPIAdKekvsZ0M2
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Hi again,
while looking at servers, I also couldn't help noticing that selinux is
either disabled or set as permissive on the few servers I looked, one
even having auditd disabled.=20
So I did enable auditd with the goal of collecting violation in
audit.log ( aka AVC ), and I plan to look at them. I already started to
fix a few violations showing up in the log.
Sometime, this would just be enabling a boolean to configure selinux
( ie, enable some specific access ), sometime, it was just wrongly
labelled file ( on monitoring.ovirt, mostly ).
I do not plan to set selinux in enforcing mode before having check that
there is no problem for a longer period of time, and of course, not if
people think it is not wise. I also so far only propose to do that host
by host, as I guess the jenkins ones may be more complex to limit.=20
I wil report with what I foud and so we will discuss if we make the
switch or not.
--=20
Michael Scherer
Open Source and Standards, Sysadmin
--=-B1QCWkZPIAdKekvsZ0M2
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAABAgAGBQJTkcrIAAoJEE89Wa+PrSK90G8P/0Q4zssClKtRlkCFucZTVRsv
Nlkxh1dGkT5s22rHtBCqo7kJqYC9SWIaCOfkQMtwW8Q/ubgh6CEEOSVdMAUOGFJt
hIQUmT8MzuqQRDTfD6HjTpiKtVl1N5/qp3Bo/DPaDM5Y+4rWa/TuuytCL3qg8MEd
7JUT1+iQyt3cFn7zSi9w/vN0GYI3xlhZWXQ29JYu51UDCRE0gSRJlEfuiKmKGxQ7
cp80p+nP44nJ+J78wL1eXZVHP2+veBbYf2tiqjsnxeudNaf86eH+Pq5RAd+8H7cv
4kX3xZjWVc4pYdKLKcQNWPyMJJajZAYtEtx3HXexva+VRsMTnwbJ0MVYkdkmScYn
7YGx7swNHmK28SZDcmVH/2MhNN+pbNq8Ru0CLZYaBE6hJEizyHvF7Aws+QdbfKQn
p8UJ6dPUHL45e+KPYSts9Taxzd+2G1oPjWxAyjW5ArMMM5uv8k3ZWgvbARospLlG
qj3eH4gvCM3jUVcpHbAoNNPLUYXjqJr6SLA565e/+UIyNOITF7mRiTMQ9DgidNQS
C18ccc2bmSeRo6lUrSoAYZJ0FndZRuCmu19xert8la3Wf5GjJAf/28xWsSmPlxw7
ZSPJQvitRJ6oC5+jn6CayPp4CsY8cf5DyP7z0ZCWWFwSrbREKQyRDrachn2xBNmf
wOG4eP6wty5q1YEcYav3
=EDH0
-----END PGP SIGNATURE-----
--=-B1QCWkZPIAdKekvsZ0M2--
5:24 p.m.
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--J4C6qpiwNtupr3TkrEwmdDcj1KFnlcWTG
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
On Fri 06 Jun 2014 04:06:00 PM CEST, Michael Scherer wrote:
Hi again,
while looking at servers, I also couldn't help noticing that selinux is=
either disabled or set as permissive on the few servers I looked,
one
even having auditd disabled.
So I did enable auditd with the goal of collecting violation in
audit.log ( aka AVC ), and I plan to look at them. I already started to=
fix a few violations showing up in the log.
Sometime, this would just be enabling a boolean to configure selinux
( ie, enable some specific access ), sometime, it was just wrongly
labelled file ( on monitoring.ovirt, mostly ).
I do not plan to set selinux in enforcing mode before having check that=
there is no problem for a longer period of time, and of course, not
if
people think it is not wise. I also so far only propose to do that host=
by host, as I guess the jenkins ones may be more complex to limit.
I wil report with what I foud and so we will discuss if we make the
switch or not.
_______________________________________________
Infra mailing list
Infra(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/infra
Thanks michael!
--
David Caro
Red Hat S.L.
Continuous Integration Engineer - EMEA ENG Virtualization R&D
Email: dcaro(a)redhat.com
Web: www.redhat.com
RHT Global #: 82-62605
--J4C6qpiwNtupr3TkrEwmdDcj1KFnlcWTG
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJTkc8UAAoJEEBxx+HSYmnDvtQH/iPS7EuzQMuZNsC2zZ5ATST/
R3MafpkVTD8p3M0dM89cmFHLbCplf2DduP0I1d8J7B+5yUJbnxPqbCME6zejfOOn
JqQMRhWNWTXUpHvqRLDxglQByu2MXaB+7DpKAm0CRSWsFMmgwOyxmhJF55rVCfjS
VfcanK0gdKyGQckd2U+0Bxfwy6d9pD2Vy3gPlP5P8MxXf+TMj8kXpqu9YJ4KtjJx
fbBGP1YmJGZ2iQCoipHencMVJwUGiY+lLCh2MixL81dxFRN49TkGYldCMfCaQNiR
1PdCxbJ7PHuk3Zdm+pnMWzfJQuIp06cjc/chBjN7EDH5hcndopezK1LhwzSc5XI=
=uarV
-----END PGP SIGNATURE-----
--J4C6qpiwNtupr3TkrEwmdDcj1KFnlcWTG--
9:47 a.m.
----- Original Message -----
From: "David Caro" <dcaroest(a)redhat.com>
To: "Michael Scherer" <mscherer(a)redhat.com>
Cc: infra(a)ovirt.org
Sent: Friday, June 6, 2014 5:24:20 PM
Subject: Re: Selinux, because it is friday
On Fri 06 Jun 2014 04:06:00 PM CEST, Michael Scherer wrote:
> Hi again,
>
> while looking at servers, I also couldn't help noticing that selinux is
> either disabled or set as permissive on the few servers I looked, one
> even having auditd disabled.
>
> So I did enable auditd with the goal of collecting violation in
> audit.log ( aka AVC ), and I plan to look at them. I already started to
> fix a few violations showing up in the log.
>
> Sometime, this would just be enabling a boolean to configure selinux
> ( ie, enable some specific access ), sometime, it was just wrongly
> labelled file ( on monitoring.ovirt, mostly ).
>
> I do not plan to set selinux in enforcing mode before having check that
> there is no problem for a longer period of time, and of course, not if
> people think it is not wise. I also so far only propose to do that host
> by host, as I guess the jenkins ones may be more complex to limit.
>
> I wil report with what I foud and so we will discuss if we make the
> switch or not.
>
thanks for this effort michael! security is always important and sometimes unfourtunately
gets pushed behind other urgents tasks.
after we've made sure enabling selinux doesn't break anything, can we ensure its
set for all servers
via puppet?
also - might worth opening a ticket in trac on it for tracking progress..
eyal.
>
> _______________________________________________
> Infra mailing list
> Infra(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/infra
Thanks michael!
--
David Caro
Red Hat S.L.
Continuous Integration Engineer - EMEA ENG Virtualization R&D
Email: dcaro(a)redhat.com
Web: www.redhat.com
RHT Global #: 82-62605
_______________________________________________
Infra mailing list
Infra(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/infra
2:19 p.m.
--=-xQeCrZfSJEdLhIze4mUY
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Le dimanche 08 juin 2014 =C3=A0 02:47 -0400, Eyal Edri a =C3=A9crit :
=20
----- Original Message -----
> From: "David Caro" <dcaroest(a)redhat.com>
> To: "Michael Scherer" <mscherer(a)redhat.com>
> Cc: infra(a)ovirt.org
> Sent: Friday, June 6, 2014 5:24:20 PM
> Subject: Re: Selinux, because it is friday
>=20
> On Fri 06 Jun 2014 04:06:00 PM CEST, Michael Scherer wrote:
> > Hi again,
> >
> > while looking at servers, I also couldn't help noticing that selinux =
is
> > either disabled or set as permissive on the few servers I
looked, one
> > even having auditd disabled.
> >
> > So I did enable auditd with the goal of collecting violation in
> > audit.log ( aka AVC ), and I plan to look at them. I already started =
to
> > fix a few violations showing up in the log.
> >
> > Sometime, this would just be enabling a boolean to configure selinux
> > ( ie, enable some specific access ), sometime, it was just wrongly
> > labelled file ( on monitoring.ovirt, mostly ).
> >
> > I do not plan to set selinux in enforcing mode before having check th=
at
> > there is no problem for a longer period of time, and of
course, not i=
f
> > people think it is not wise. I also so far only propose to
do that ho=
st
> > by host, as I guess the jenkins ones may be more complex to
limit.
> >
> > I wil report with what I foud and so we will discuss if we make the
> > switch or not.
> >
=20
thanks for this effort michael! security is always important and sometime=
s
unfourtunately
gets pushed behind other urgents tasks.
=20
after we've made sure enabling selinux doesn't break anything, can we ens=
ure its set for all servers
via puppet?
yes.=20
Either by forcing the content of /etc/selinux/config, or with augeas.
I would even be more radical and make sure selinux is set to enforcing
with nagios i.e. get a alert if someone/something disable it.
also - might worth opening a ticket in trac on it for tracking
progress..
yep, good point.
--=20
Michael Scherer
Open Source and Standards, Sysadmin
--=-xQeCrZfSJEdLhIze4mUY
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAABAgAGBQJTlZhEAAoJEE89Wa+PrSK92IAP/Arpn5pPeC6QYMYn57DE42pr
pAt08DXYGy3d+WxNKywDCEGJJFZGXMHSIyOe9+4gtmj0thltvLGF6kI5NnGfR2yh
drObwDGAkY6usRqL6iOAWc2a+zxqEgiddvTFaDghivcgIioNAn3jllDalMtBHNtJ
2Ke/SGOMtkR+ls630WMsXTnwD3znFdMriYBGviVWM26TpVGQMrEHnWlHSAgSlrtH
qLTjBfRDIV/x633esfx6cf8LOSQSS06aJ/DSS0iWBw7B96OEyITXTdNdyi9VB5I3
0ku/gE6iJIyLmBQVL6tA+bU1kOhm2yRvd7pS+9ms/zdRBmtnIrON9ycQYHux/Cvm
DbJGROBSI6aDt3YwnWdfDhZcVqW/DGIaJZ4ztkGZ04J4usV8/TkouQgJ04tF5cR5
QQM6UPR05sbQ4C46NkQxj4aELaof6LRy/4x7fbGRPlWm23/nYAn0ngKQtGX7V40g
fw2Syr7RvHOTOSS0bsW0l6SZVsDLtzZCbhKQ4o7Tf+jvGFL4HPrcCNjqeSbxxivN
1/qLWABJqRq47DNVysyz5Wk0co9JeaNFJrUhVRHd+X/wu/ea0/AHmaQTxTNtXbBD
YcagUeUYqCq03ggXMxqE2Y6ZvFFOvIaI+sqDKTwWSHkS+B7rR3P2BcX0efhJCvFN
nOvArpd1jezW5NjT4yzl
=lKxW
-----END PGP SIGNATURE-----
--=-xQeCrZfSJEdLhIze4mUY--
2:29 p.m.
--=-xExZWk4wWaF93+5How8T
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Le lundi 09 juin 2014 =C3=A0 13:19 +0200, Michael Scherer a =C3=A9crit :
Le dimanche 08 juin 2014 =C3=A0 02:47 -0400, Eyal Edri a =C3=A9crit
:
>=20
> ----- Original Message -----
> > From: "David Caro" <dcaroest(a)redhat.com>
> > To: "Michael Scherer" <mscherer(a)redhat.com>
> > Cc: infra(a)ovirt.org
> > Sent: Friday, June 6, 2014 5:24:20 PM
> > Subject: Re: Selinux, because it is friday
> >=20
> > On Fri 06 Jun 2014 04:06:00 PM CEST, Michael Scherer wrote:
> > > Hi again,
> > >
> > > while looking at servers, I also couldn't help noticing that selinu=
x is
> > > either disabled or set as permissive on the few
servers I looked, o=
ne
> > > even having auditd disabled.
> > >
> > > So I did enable auditd with the goal of collecting violation in
> > > audit.log ( aka AVC ), and I plan to look at them. I already starte=
d to
> > > fix a few violations showing up in the log.
> > >
> > > Sometime, this would just be enabling a boolean to configure selinu=
x
> > > ( ie, enable some specific access ), sometime, it was
just wrongly
> > > labelled file ( on monitoring.ovirt, mostly ).
> > >
> > > I do not plan to set selinux in enforcing mode before having check =
that
> > > there is no problem for a longer period of time, and
of course, not=
if
> > > people think it is not wise. I also so far only
propose to do that =
host
> > > by host, as I guess the jenkins ones may be more
complex to limit.
> > >
> > > I wil report with what I foud and so we will discuss if we make the
> > > switch or not.
> > >
>=20
> thanks for this effort michael! security is always important and someti=
mes
unfourtunately
> gets pushed behind other urgents tasks.
>=20
> after we've made sure enabling selinux doesn't break anything, can we e=
nsure its set for all servers
> via puppet?
=20
yes.=20
Either by forcing the content of /etc/selinux/config, or with augeas.
=20
I would even be more radical and make sure selinux is set to enforcing
with nagios i.e. get a alert if someone/something disable it.
=20
> also - might worth opening a ticket in trac on it for tracking progress=
..
=20
yep, good point.
https://fedorahosted.org/ovirt/ticket/158
I am completing the ticket
with what we discuss=20
--=20
Michael Scherer
Open Source and Standards, Sysadmin
--=-xExZWk4wWaF93+5How8T
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAABAgAGBQJTlZqvAAoJEE89Wa+PrSK9IIoQAJgm+hOwFkQ5bNPSxZ5/KQum
UzLueIWMUf1WJYhlHB6iHUCOS8Wm0yfuFZd1r9IK9nqtZ09i8Uuqofn/3aor7GEg
VbwcnzqV7aNXJB6fwsQdm1h2p280elwXY5ED1TekRmsnY+cmSEce8Zsgpc40Usq6
uosLLRR0wqdl9pMYaN5k4cS/mNARLqBfWQK3MQRAslQZ12oOON48INe0HMrTqT/v
DBS9FFOI0zICb1fI+r8Z1zxeg1I7kQdrS0Dz5GMc7YtBqx7WUw0Drz4HJuwYEpbx
5g7XOKFgh859ZvJKv0OPYI+pV//PO58UcJUSxtw6zbo7AylN+p1Gp6obANkOya2A
XqHijdKW/VBPFqVIVFwZbeE3eNopVucyx7RzpqQe0ra95EfiFLJBoCwdxhiDilvS
q+N0G7UL+EtgSKODzDa/VBlH2oWag8VZe+7mtJ3snLyA8IDJjYAzaHVMLQfYD7yS
1Kltq4xmgRNDGLFKI0isu87CxGLWW+1258VCXe7AmW/VSTRmWVlg/xH1eIS1DS1r
sPaKYcYUQqX6IJGlxynI8J3iHxy2BzhDQa1EEiGR5mPD1jtKt+xhbZqOYVAjgurM
5RypjVE+TxJeo2aiWyb097LlNDMt89R8JG54GeoRxlrpYcB61z0YFdnc5FFMILHn
vjJTdqbF6krxPhLZm2/z
=jlDs
-----END PGP SIGNATURE-----
--=-xExZWk4wWaF93+5How8T--
3815
days inactive
3818
days old
4 comments
3 participants
participants (3)
-
David Caro -
Eyal Edri -
Michael Scherer