Le dimanche 08 juin 2014 à 02:47 -0400, Eyal Edri a écrit : > > ----- Original Message ----- > > From: "David Caro" <[email protected]> > > To: "Michael Scherer" <[email protected]> > > Cc: [email protected] > > Sent: Friday, June 6, 2014 5:24:20 PM > > Subject: Re: Selinux, because it is friday > > > > On Fri 06 Jun 2014 04:06:00 PM CEST, Michael Scherer wrote: > > > Hi again, > > > > > > while looking at servers, I also couldn't help noticing that selinux is > > > either disabled or set as permissive on the few servers I looked, one > > > even having auditd disabled. > > > > > > So I did enable auditd with the goal of collecting violation in > > > audit.log ( aka AVC ), and I plan to look at them. I already started to > > > fix a few violations showing up in the log. > > > > > > Sometime, this would just be enabling a boolean to configure selinux > > > ( ie, enable some specific access ), sometime, it was just wrongly > > > labelled file ( on monitoring.ovirt, mostly ). > > > > > > I do not plan to set selinux in enforcing mode before having check that > > > there is no problem for a longer period of time, and of course, not if > > > people think it is not wise. I also so far only propose to do that host > > > by host, as I guess the jenkins ones may be more complex to limit. > > > > > > I wil report with what I foud and so we will discuss if we make the > > > switch or not. > > > > > thanks for this effort michael! security is always important and sometimes > unfourtunately > gets pushed behind other urgents tasks. > > after we've made sure enabling selinux doesn't break anything, can we ensure > its set for all servers > via puppet?
yes. Either by forcing the content of /etc/selinux/config, or with augeas. I would even be more radical and make sure selinux is set to enforcing with nagios i.e. get a alert if someone/something disable it. > also - might worth opening a ticket in trac on it for tracking progress.. yep, good point. -- Michael Scherer Open Source and Standards, Sysadmin
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Infra mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/infra
