Selinux, because it is friday

Michael Scherer mscherer at redhat.com
Mon Jun 9 11:29:51 UTC 2014


Le lundi 09 juin 2014 à 13:19 +0200, Michael Scherer a écrit :
> Le dimanche 08 juin 2014 à 02:47 -0400, Eyal Edri a écrit :
> > 
> > ----- Original Message -----
> > > From: "David Caro" <dcaroest at redhat.com>
> > > To: "Michael Scherer" <mscherer at redhat.com>
> > > Cc: infra at ovirt.org
> > > Sent: Friday, June 6, 2014 5:24:20 PM
> > > Subject: Re: Selinux, because it is friday
> > > 
> > > On Fri 06 Jun 2014 04:06:00 PM CEST, Michael Scherer wrote:
> > > > Hi again,
> > > >
> > > > while looking at servers, I also couldn't help noticing that selinux is
> > > > either disabled or set as permissive on the few servers I looked, one
> > > > even having auditd disabled.
> > > >
> > > > So I did enable auditd with the goal of collecting violation in
> > > > audit.log ( aka AVC ), and I plan to look at them. I already started to
> > > > fix a few violations showing up in the log.
> > > >
> > > > Sometime, this would just be enabling a boolean to configure selinux
> > > > ( ie, enable some specific access ), sometime, it was just wrongly
> > > > labelled file ( on monitoring.ovirt, mostly ).
> > > >
> > > > I do not plan to set selinux in enforcing mode before having check that
> > > > there is no problem for a longer period of time, and of course, not if
> > > > people think it is not wise. I also so far only propose to do that host
> > > > by host, as I guess the jenkins ones may be more complex to limit.
> > > >
> > > > I wil report with what I foud and so we will discuss if we make the
> > > > switch or not.
> > > >
> > 
> > thanks for this effort michael! security is always important and sometimes unfourtunately
> > gets pushed behind other urgents tasks.
> > 
> > after we've made sure enabling selinux doesn't break anything, can we ensure its set for all servers
> > via puppet?
> 
> yes. 
> Either by forcing the content of /etc/selinux/config, or with augeas.
> 
> I would even be more radical and make sure selinux is set to enforcing
> with nagios i.e. get a alert if someone/something disable it.
> 
> > also - might worth opening a ticket in trac on it for tracking progress..
> 
> yep, good point.

https://fedorahosted.org/ovirt/ticket/158
I am completing the ticket

with what we discuss 
-- 
Michael Scherer
Open Source and Standards, Sysadmin



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.ovirt.org/pipermail/infra/attachments/20140609/bdaa299b/attachment.sig>


More information about the Infra mailing list