SELinux lockdown

Mike McGrath mmcgrath at redhat.com
Sat May 2 20:45:53 UTC 2009 

On Sat, 2 May 2009, Luke Macken wrote:

> Hey everyone,
>
> So I've been doing a lot of SELinux/audit related work behind the scenes
> within our infrastructure for a while now, working closely with Dan
> Walsh and Steve Grubb.  It's taken a lot of patience and hard work, but
> we're finally at the point where we can start switching large portions
> of our infrastructure over to SELinux Enforcing mode.
>
> The following server groups are now fully enforcing:
>
>     o gateway
>     o people
>     o planet
>     o fas
>     o collab
>     o releng
>     o db
>     o torrent
>     o dns
>
> These are all groups of machines that have not had any SELinux
> denials in at least a month.  If you notice any issues with
> regard to these groups, please speak up.
>
> I will be keeping a close eye on these machines, and I encourage anyone
> that is interested to do the same.  I threw together a little tool that
> I've been using to monitor & manage SELinux on our machines.  It uses
> func, and allows you to do the following:
>
>     Get the SELinux status:
>
>         selinux-overlord.py --status
>
>     Display all enforced denials:
>
>         selinux-overlord.py --enforced-denials
>
>     Dump all raw AVCs to disk.  Each minion will have it's own file:
>
>         selinux-overlord.py --dump-avcs
>
>     Upgrade the SELinux policy RPMs:
>
>         selinux-overlord.py --upgrade-policy
>
> It defaults to querying all minions, but you can specify groups of them
> if you wish:
>
>        selinux-overlord.py --status app* db*
>
> This script should ideally be it's own func module, but in the mean time
> I added it to the fedora-infrastructure git repository:
>
>     http://git.fedorahosted.org/git/?p=fedora-infrastructure.git;a=blob_plain;f=scripts/selinux/selinux-overlord.py;hb=HEAD
>
> More information on our SELinux deployment can be found in our
> [out of date] SOP: http://fedoraproject.org/wiki/Infrastructure/SOP/SELinux
>

Thanks for working on this Luke.  I just wanted to let people know that
since we're not all trained on selinux yet if something is coming up that
needs to be done "right now" like an outage, and selinux is preventing
that.  It's acceptable for now to put the box in permissive mode with:

setenforce 0

But if you do that, you must open a ticket so that we can get the proper
selinux policy updated.  If you have any questions please talk to me or
luke and we'll figure something out.

	-Mike

More information about the infrastructure mailing list