SELinux lockdown

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hey everyone,

So I've been doing a lot of SELinux/audit related work behind the scenes
within our infrastructure for a while now, working closely with Dan
Walsh and Steve Grubb.  It's taken a lot of patience and hard work, but
we're finally at the point where we can start switching large portions
of our infrastructure over to SELinux Enforcing mode.

The following server groups are now fully enforcing:

    o gateway
    o people
    o planet
    o fas
    o collab
    o releng
    o db
    o torrent
    o dns

These are all groups of machines that have not had any SELinux
denials in at least a month.  If you notice any issues with
regard to these groups, please speak up.

I will be keeping a close eye on these machines, and I encourage anyone
that is interested to do the same.  I threw together a little tool that
I've been using to monitor & manage SELinux on our machines.  It uses
func, and allows you to do the following:

    Get the SELinux status:

        selinux-overlord.py --status

    Display all enforced denials:

        selinux-overlord.py --enforced-denials

    Dump all raw AVCs to disk.  Each minion will have it's own file:

        selinux-overlord.py --dump-avcs

    Upgrade the SELinux policy RPMs:

        selinux-overlord.py --upgrade-policy

It defaults to querying all minions, but you can specify groups of them
if you wish:

       selinux-overlord.py --status app* db*

This script should ideally be it's own func module, but in the mean time
I added it to the fedora-infrastructure git repository:

    http://git.fedorahosted.org/git/?p=fedora-infrastructure.git;a=blob_plain;f=scripts/selinux/selinux-overlord.py;hb=HEAD

More information on our SELinux deployment can be found in our
[out of date] SOP: http://fedoraproject.org/wiki/Infrastructure/SOP/SELinux

luke

Attachment: pgpal5ZOtSZ4m.pgp
Description: PGP signature

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list

[Index of Archives]     [Fedora Development]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux