SELinux lockdown
Stephen John Smoogen
smooge at gmail.com
Sun May 3 01:05:03 UTC 2009
On Sat, May 2, 2009 at 2:39 PM, Luke Macken <lmacken at redhat.com> wrote:
> Hey everyone,
>
> So I've been doing a lot of SELinux/audit related work behind the scenes
> within our infrastructure for a while now, working closely with Dan
> Walsh and Steve Grubb. It's taken a lot of patience and hard work, but
> we're finally at the point where we can start switching large portions
> of our infrastructure over to SELinux Enforcing mode.
Congrats... I hearts selinux. I would like to go over how this was all
accomplished.. [I will be looking forward to reading the class Dan
does tomorrow too... ]
> The following server groups are now fully enforcing:
>
> o gateway
> o people
> o planet
> o fas
> o collab
> o releng
> o db
> o torrent
> o dns
>
> These are all groups of machines that have not had any SELinux
> denials in at least a month. If you notice any issues with
> regard to these groups, please speak up.
>
> I will be keeping a close eye on these machines, and I encourage anyone
> that is interested to do the same. I threw together a little tool that
> I've been using to monitor & manage SELinux on our machines. It uses
> func, and allows you to do the following:
>
> Get the SELinux status:
>
> selinux-overlord.py --status
>
> Display all enforced denials:
>
> selinux-overlord.py --enforced-denials
Oooooh sexy.
--
Stephen J Smoogen. -- BSD/GNU/Linux
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"
More information about the infrastructure
mailing list