Project

General

Profile

Actions

User story #7054

closed

Confine Rudder processes with SELinux

Added by Alexis Mousset over 9 years ago. Updated almost 3 years ago.

Status:
Rejected
Priority:
N/A
Assignee:
-
Category:
System integration
UX impact:
Suggestion strength:
User visibility:
Effort required:
Name check:
Fix check:
Regression:

Description

SELinux policies in 3.1 allow enabling SELinux on the systems, but the Rudder processes are still unconfined.

We could define types for the different parts of Rudder and enforce fileacces and port restrictions on them.

Actions #1

Updated by Alexis Mousset about 5 years ago

Done for relayd in 6.0. Keeping for other service, especially for cf-serverd and rudder-jetty.

Actions #2

Updated by Alexis Mousset almost 3 years ago

  • Status changed from New to Rejected

Should be done on a case by case approach, and systemd/namespace/seccomp hardening is probably more important anyway.

Actions

Also available in: Atom PDF