Over the past few months, I've been working closley with Dan Walsh and
Mike McGrath to solidify our SELinux deployment. We're not yet to the
point where we can flip every system into enforcing mode, but we're
getting close.
We're at the point now where we can pretty much do everything we need to
do via our puppet configuration, and we've created a handful of
constructs that can be used to configure various aspects of SELinux, for
example:
== Setting custom context
semanage_fcontext { '/var/tmp/l10n-data(/.*)?':
type => 'httpd_sys_content_t'
}
== Toggling booleans
selinux_bool { 'httpd_can_network_connect_db': bool => 'on' }
== Allowing ports
semanage_port { '8081-8089': type => 'http_port_t', proto => 'tcp' }
== Deploying custom policy
semodule { 'fedora': }
I created a custom 'fedora' selinux module that is loaded on all systems
(that are configured with 'include selinux'). This module exists to fix
various issues custom to our environment, and to cover up minor
annoyances such as leaky file descriptors.
So, now it's just a matter of hunting down the existing issues, and
fixing them in puppet or in the SELinux policy. I've been keeping our
infrastructure ahead of the RHEL5 selinux-policy, as Dan has fixed a lot
of our issues in his rpms.
I threw together a basic SOP for our SELinux configuration here:
https://fedoraproject.org/wiki/Infrastructure/SOP/SELinux
You can keep up to date on our SELinux deployment status here:
https://fedorahosted.org/fedora-infrastructure/ticket/230
Cheers,
luke
Attachment:
pgpcQmx03jxl7.pgp
Description: PGP signature
_______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
