[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] little selinux glitch with rpm package (CentOS 6 x86_64)

Tangentially, what benefit is there to enabling SELinux in an HTCondor pool?

The purpose of SELinux is to contain exploits against unknown remote
vulnerabilities in exposed services like web servers and database
engines. A typical compute node won't have any exposed services other
than the condor_master and maybe SSH daemon. These can be constrained to
your LAN by a site-wide firewall or a couple of iptables rules on each
node. External attackers can't exploit vulnerabilities in services if
they cannot connect to those services.

There is a class of kernel vulnerabilities that is more easily exploited
with SELinux enabled than with it disabled. With HTCondor you're
allowing users to run literally anything they want on nodes in the pool.
Better to disable SELinux and close off those local vulnerabilities, yes?

Rich Pieri <ratinox@xxxxxxx>
MIT Laboratory for Nuclear Science