Le lundi 09 juin 2014 à 13:19 +0200, Michael Scherer a écrit : > Le dimanche 08 juin 2014 à 02:47 -0400, Eyal Edri a écrit : > > > > ----- Original Message ----- > > > From: "David Caro" <dcaro...@redhat.com> > > > To: "Michael Scherer" <msche...@redhat.com> > > > Cc: infra@ovirt.org > > > Sent: Friday, June 6, 2014 5:24:20 PM > > > Subject: Re: Selinux, because it is friday > > > > > > On Fri 06 Jun 2014 04:06:00 PM CEST, Michael Scherer wrote: > > > > Hi again, > > > > > > > > while looking at servers, I also couldn't help noticing that selinux is > > > > either disabled or set as permissive on the few servers I looked, one > > > > even having auditd disabled. > > > > > > > > So I did enable auditd with the goal of collecting violation in > > > > audit.log ( aka AVC ), and I plan to look at them. I already started to > > > > fix a few violations showing up in the log. > > > > > > > > Sometime, this would just be enabling a boolean to configure selinux > > > > ( ie, enable some specific access ), sometime, it was just wrongly > > > > labelled file ( on monitoring.ovirt, mostly ). > > > > > > > > I do not plan to set selinux in enforcing mode before having check that > > > > there is no problem for a longer period of time, and of course, not if > > > > people think it is not wise. I also so far only propose to do that host > > > > by host, as I guess the jenkins ones may be more complex to limit. > > > > > > > > I wil report with what I foud and so we will discuss if we make the > > > > switch or not. > > > > > > > > thanks for this effort michael! security is always important and sometimes > > unfourtunately > > gets pushed behind other urgents tasks. > > > > after we've made sure enabling selinux doesn't break anything, can we > > ensure its set for all servers > > via puppet? > > yes. > Either by forcing the content of /etc/selinux/config, or with augeas. > > I would even be more radical and make sure selinux is set to enforcing > with nagios i.e. get a alert if someone/something disable it. > > > also - might worth opening a ticket in trac on it for tracking progress.. > > yep, good point.
https://fedorahosted.org/ovirt/ticket/158 I am completing the ticket with what we discuss -- Michael Scherer Open Source and Standards, Sysadmin
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Infra mailing list Infra@ovirt.org http://lists.ovirt.org/mailman/listinfo/infra
