Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

SElinux review

Description

Ticket to track the progress of the selinux status in infra

- make sure auditd is enabled

- review AVC in logs

- make sure selinux is enabled, with potentially permissive domain

- have nagios watch over selinux

Activity

Show:

Former user May 11, 2017 at 8:05 AM

Critical services rebuilt, SELinux enabled on new systems.

Former user January 2, 2017 at 7:08 AM

All the hosts that were recently rebuilt (hypervisors, engine, etc) have SELinux in Enforcing mode on them and that is the plan. The three remaining machines on Alterway need to be moved and rebuilt as well and for sure they will have SELinux in Enforcing as well. I've already started testing Monitoring migration in https://ovirt-jira.atlassian.net/browse/OVIRT-502#icft=OVIRT-502 and it works fine with SELinux.

Eyal Edri December 26, 2016 at 7:32 PM

Agree, all servers should run with selinux enforcing and audit enabled, just need to verify it.

Marc Dequènes (Duck) December 22, 2016 at 11:44 AM

Quack, well, lists.phx.ovirt.org has it enabled (enforcing) with auditd up. I ensured permissions including selinux ones for mailman. Evgheni helped on perms, and added extra rules for postfix<->mailman IIRC. This needs to be documented as it is custom. Still we need to check if nothing else is dropping errors. I will have a look soon. No idea about Nagios.

Why would we accept permissive behavior? I think we should strive to get it enforced everywhere.

Eyal Edri December 22, 2016 at 10:13 AM

I guess this ticket needs a refresh since we moved some services around?

Done

Details

Assignee

Reporter

Blocked By

Components

Parent

Created June 9, 2014 at 11:28 AM
Updated June 1, 2017 at 11:31 AM
Resolved May 11, 2017 at 8:05 AM

Flag notifications