Hi again, while looking at servers, I also couldn't help noticing that selinux is either disabled or set as permissive on the few servers I looked, one even having auditd disabled.
So I did enable auditd with the goal of collecting violation in audit.log ( aka AVC ), and I plan to look at them. I already started to fix a few violations showing up in the log. Sometime, this would just be enabling a boolean to configure selinux ( ie, enable some specific access ), sometime, it was just wrongly labelled file ( on monitoring.ovirt, mostly ). I do not plan to set selinux in enforcing mode before having check that there is no problem for a longer period of time, and of course, not if people think it is not wise. I also so far only propose to do that host by host, as I guess the jenkins ones may be more complex to limit. I wil report with what I foud and so we will discuss if we make the switch or not. -- Michael Scherer Open Source and Standards, Sysadmin
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Infra mailing list Infra@ovirt.org http://lists.ovirt.org/mailman/listinfo/infra
