----- Original Message ----- > From: "David Caro" <dcaro...@redhat.com> > To: "Michael Scherer" <msche...@redhat.com> > Cc: infra@ovirt.org > Sent: Friday, June 6, 2014 5:24:20 PM > Subject: Re: Selinux, because it is friday > > On Fri 06 Jun 2014 04:06:00 PM CEST, Michael Scherer wrote: > > Hi again, > > > > while looking at servers, I also couldn't help noticing that selinux is > > either disabled or set as permissive on the few servers I looked, one > > even having auditd disabled. > > > > So I did enable auditd with the goal of collecting violation in > > audit.log ( aka AVC ), and I plan to look at them. I already started to > > fix a few violations showing up in the log. > > > > Sometime, this would just be enabling a boolean to configure selinux > > ( ie, enable some specific access ), sometime, it was just wrongly > > labelled file ( on monitoring.ovirt, mostly ). > > > > I do not plan to set selinux in enforcing mode before having check that > > there is no problem for a longer period of time, and of course, not if > > people think it is not wise. I also so far only propose to do that host > > by host, as I guess the jenkins ones may be more complex to limit. > > > > I wil report with what I foud and so we will discuss if we make the > > switch or not. > >
thanks for this effort michael! security is always important and sometimes unfourtunately gets pushed behind other urgents tasks. after we've made sure enabling selinux doesn't break anything, can we ensure its set for all servers via puppet? also - might worth opening a ticket in trac on it for tracking progress.. eyal. > > > > _______________________________________________ > > Infra mailing list > > Infra@ovirt.org > > http://lists.ovirt.org/mailman/listinfo/infra > > Thanks michael! > -- > David Caro > > Red Hat S.L. > Continuous Integration Engineer - EMEA ENG Virtualization R&D > > Email: dc...@redhat.com > Web: www.redhat.com > RHT Global #: 82-62605 > > > _______________________________________________ > Infra mailing list > Infra@ovirt.org > http://lists.ovirt.org/mailman/listinfo/infra > _______________________________________________ Infra mailing list Infra@ovirt.org http://lists.ovirt.org/mailman/listinfo/infra
