Selinux, because it is friday
Michael Scherer
mscherer at redhat.com
Fri Jun 6 14:06:00 UTC 2014
Hi again,
while looking at servers, I also couldn't help noticing that selinux is
either disabled or set as permissive on the few servers I looked, one
even having auditd disabled.
So I did enable auditd with the goal of collecting violation in
audit.log ( aka AVC ), and I plan to look at them. I already started to
fix a few violations showing up in the log.
Sometime, this would just be enabling a boolean to configure selinux
( ie, enable some specific access ), sometime, it was just wrongly
labelled file ( on monitoring.ovirt, mostly ).
I do not plan to set selinux in enforcing mode before having check that
there is no problem for a longer period of time, and of course, not if
people think it is not wise. I also so far only propose to do that host
by host, as I guess the jenkins ones may be more complex to limit.
I wil report with what I foud and so we will discuss if we make the
switch or not.
--
Michael Scherer
Open Source and Standards, Sysadmin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.ovirt.org/pipermail/infra/attachments/20140606/d89da571/attachment.sig>
More information about the Infra
mailing list