FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Infrastructure

 
 
LinkBack Thread Tools
 
Old 09-10-2008, 09:33 PM
Luke Macken
 
Default SELinux status update

Over the past few months, I've been working closley with Dan Walsh and
Mike McGrath to solidify our SELinux deployment. We're not yet to the
point where we can flip every system into enforcing mode, but we're
getting close.

We're at the point now where we can pretty much do everything we need to
do via our puppet configuration, and we've created a handful of
constructs that can be used to configure various aspects of SELinux, for
example:

== Setting custom context

semanage_fcontext { '/var/tmp/l10n-data(/.*)?':
type => 'httpd_sys_content_t'
}

== Toggling booleans

selinux_bool { 'httpd_can_network_connect_db': bool => 'on' }

== Allowing ports

semanage_port { '8081-8089': type => 'http_port_t', proto => 'tcp' }

== Deploying custom policy

semodule { 'fedora': }

I created a custom 'fedora' selinux module that is loaded on all systems
(that are configured with 'include selinux'). This module exists to fix
various issues custom to our environment, and to cover up minor
annoyances such as leaky file descriptors.

So, now it's just a matter of hunting down the existing issues, and
fixing them in puppet or in the SELinux policy. I've been keeping our
infrastructure ahead of the RHEL5 selinux-policy, as Dan has fixed a lot
of our issues in his rpms.

I threw together a basic SOP for our SELinux configuration here:

https://fedoraproject.org/wiki/Infrastructure/SOP/SELinux

You can keep up to date on our SELinux deployment status here:

https://fedorahosted.org/fedora-infrastructure/ticket/230

Cheers,

luke
_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 09-11-2008, 12:26 AM
"Stephen John Smoogen"
 
Default SELinux status update

2008/9/10 Luke Macken <lmacken@redhat.com>:
> Over the past few months, I've been working closley with Dan Walsh and
> Mike McGrath to solidify our SELinux deployment. We're not yet to the
> point where we can flip every system into enforcing mode, but we're
> getting close.
>

Very very very cool. I look forward to reading through all the puppet
side of things.





--
Stephen J Smoogen. -- BSD/GNU/Linux
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 

Thread Tools




All times are GMT. The time now is 03:26 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org