Re: [HTCondor-users] little selinux glitch with rpm package (CentOS 6 x86_64)

[Tim St Clair <tstclair@xxxxxxxxxx>]

This depends entirely on the pool, and it's use cases.  If you have an isolated/sandbox'd pool then you are correct.  

However if you let others flock to your pool, it would be unwise to disable. 

Cheers,
Tim

----- Original Message -----
> From: "Rich Pieri" <ratinox@xxxxxxx>
> To: "HTCondor-Users Mail List" <htcondor-users@xxxxxxxxxxx>
> Sent: Friday, October 25, 2013 9:18:53 AM
> Subject: Re: [HTCondor-users] little selinux glitch with rpm package (CentOS 6 x86_64)
> 
> Tangentially, what benefit is there to enabling SELinux in an HTCondor pool?
> 
> The purpose of SELinux is to contain exploits against unknown remote
> vulnerabilities in exposed services like web servers and database
> engines. A typical compute node won't have any exposed services other
> than the condor_master and maybe SSH daemon. These can be constrained to
> your LAN by a site-wide firewall or a couple of iptables rules on each
> node. External attackers can't exploit vulnerabilities in services if
> they cannot connect to those services.
> 
> There is a class of kernel vulnerabilities that is more easily exploited
> with SELinux enabled than with it disabled. With HTCondor you're
> allowing users to run literally anything they want on nodes in the pool.
> Better to disable SELinux and close off those local vulnerabilities, yes?
> 
> --
> Rich Pieri <ratinox@xxxxxxx>
> MIT Laboratory for Nuclear Science
> _______________________________________________
> HTCondor-users mailing list
> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
> 
> The archives can be found at:
> https://lists.cs.wisc.edu/archive/htcondor-users/
> 

-- 
Cheers,
Tim