[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

SELinux status update



Over the past few months, I've been working closley with Dan Walsh and
Mike McGrath to solidify our SELinux deployment.  We're not yet to the
point where we can flip every system into enforcing mode, but we're
getting close.

We're at the point now where we can pretty much do everything we need to
do via our puppet configuration, and we've created a handful of
constructs that can be used to configure various aspects of SELinux, for
example:

== Setting custom context

    semanage_fcontext { '/var/tmp/l10n-data(/.*)?':
        type => 'httpd_sys_content_t'
    }

== Toggling booleans

    selinux_bool { 'httpd_can_network_connect_db': bool => 'on' }

== Allowing ports

    semanage_port { '8081-8089': type => 'http_port_t', proto => 'tcp' }

== Deploying custom policy

    semodule { 'fedora': }

I created a custom 'fedora' selinux module that is loaded on all systems
(that are configured with 'include selinux').  This module exists to fix
various issues custom to our environment, and to cover up minor
annoyances such as leaky file descriptors.

So, now it's just a matter of hunting down the existing issues, and
fixing them in puppet or in the SELinux policy.  I've been keeping our
infrastructure ahead of the RHEL5 selinux-policy, as Dan has fixed a lot
of our issues in his rpms.

I threw together a basic SOP for our SELinux configuration here:

    https://fedoraproject.org/wiki/Infrastructure/SOP/SELinux

You can keep up to date on our SELinux deployment status here:

    https://fedorahosted.org/fedora-infrastructure/ticket/230

Cheers,

luke

Attachment: pgpwqk4z4wP43.pgp
Description: PGP signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]