Selinux, because it is friday
Eyal Edri
eedri at redhat.com
Sun Jun 8 06:47:44 UTC 2014
----- Original Message -----
> From: "David Caro" <dcaroest at redhat.com>
> To: "Michael Scherer" <mscherer at redhat.com>
> Cc: infra at ovirt.org
> Sent: Friday, June 6, 2014 5:24:20 PM
> Subject: Re: Selinux, because it is friday
>
> On Fri 06 Jun 2014 04:06:00 PM CEST, Michael Scherer wrote:
> > Hi again,
> >
> > while looking at servers, I also couldn't help noticing that selinux is
> > either disabled or set as permissive on the few servers I looked, one
> > even having auditd disabled.
> >
> > So I did enable auditd with the goal of collecting violation in
> > audit.log ( aka AVC ), and I plan to look at them. I already started to
> > fix a few violations showing up in the log.
> >
> > Sometime, this would just be enabling a boolean to configure selinux
> > ( ie, enable some specific access ), sometime, it was just wrongly
> > labelled file ( on monitoring.ovirt, mostly ).
> >
> > I do not plan to set selinux in enforcing mode before having check that
> > there is no problem for a longer period of time, and of course, not if
> > people think it is not wise. I also so far only propose to do that host
> > by host, as I guess the jenkins ones may be more complex to limit.
> >
> > I wil report with what I foud and so we will discuss if we make the
> > switch or not.
> >
thanks for this effort michael! security is always important and sometimes unfourtunately
gets pushed behind other urgents tasks.
after we've made sure enabling selinux doesn't break anything, can we ensure its set for all servers
via puppet?
also - might worth opening a ticket in trac on it for tracking progress..
eyal.
> >
> > _______________________________________________
> > Infra mailing list
> > Infra at ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/infra
>
> Thanks michael!
> --
> David Caro
>
> Red Hat S.L.
> Continuous Integration Engineer - EMEA ENG Virtualization R&D
>
> Email: dcaro at redhat.com
> Web: www.redhat.com
> RHT Global #: 82-62605
>
>
> _______________________________________________
> Infra mailing list
> Infra at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/infra
>
More information about the Infra
mailing list