[katello-devel] Foreman and - yeah - SELinux
Lukas Zapletal
lzap at redhat.com
Tue Oct 2 11:04:12 UTC 2012
Guys,
I have noticed we do not have any selinux policy for Foreman, but we
start it in the confined mode. Therefore once we start with more
integrations we will likely hit an issue - Foreman won't be able to do
anything in confined mode :-)
I am putting new item on the backlog:
As a user, I'd like to have SELinux policy for Foreman
I have also noticed there is now thin_d domain in both Fedoras and
RHEL6. We run the main Katello process in the initrc_t domain which is
nasty. Therefore I am crating another sprint task:
As a dev, I'd like run katello process in its own domain
Our current SELinux policies are quite permissive and they were created
quickly, maybe it's the time to harden the stuff:
As a dev, I'd like to harden Katello SELinux policy
Now the question is if Foreman developers are able to deliver this
feature for us, because from our experiences with SELinux it is always
better when devs with experiences with the codebase are hardering the
stuff. Otherwise we can only provide lower quality "get it only working"
version, which is also usually not tested enough (guys are often running
in to issues due to missing rules).
LZ
--
Later,
Lukas "lzap" Zapletal
#katello #systemengine
More information about the katello-devel
mailing list