[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [HTCondor-users] little selinux glitch with rpm package (CentOS 6 x86_64)
- Date: Fri, 25 Oct 2013 10:31:43 -0400 (EDT)
- From: Tim St Clair <tstclair@xxxxxxxxxx>
- Subject: Re: [HTCondor-users] little selinux glitch with rpm package (CentOS 6 x86_64)
This depends entirely on the pool, and it's use cases. If you have an isolated/sandbox'd pool then you are correct.
However if you let others flock to your pool, it would be unwise to disable.
----- Original Message -----
> From: "Rich Pieri" <ratinox@xxxxxxx>
> To: "HTCondor-Users Mail List" <htcondor-users@xxxxxxxxxxx>
> Sent: Friday, October 25, 2013 9:18:53 AM
> Subject: Re: [HTCondor-users] little selinux glitch with rpm package (CentOS 6 x86_64)
> Tangentially, what benefit is there to enabling SELinux in an HTCondor pool?
> The purpose of SELinux is to contain exploits against unknown remote
> vulnerabilities in exposed services like web servers and database
> engines. A typical compute node won't have any exposed services other
> than the condor_master and maybe SSH daemon. These can be constrained to
> your LAN by a site-wide firewall or a couple of iptables rules on each
> node. External attackers can't exploit vulnerabilities in services if
> they cannot connect to those services.
> There is a class of kernel vulnerabilities that is more easily exploited
> with SELinux enabled than with it disabled. With HTCondor you're
> allowing users to run literally anything they want on nodes in the pool.
> Better to disable SELinux and close off those local vulnerabilities, yes?
> Rich Pieri <ratinox@xxxxxxx>
> MIT Laboratory for Nuclear Science
> HTCondor-users mailing list
> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> The archives can be found at: