Re: [HTCondor-users] little selinux glitch with rpm package (CentOS 6 x86_64)

[Rich Pieri <ratinox@xxxxxxx>]

Tim St Clair wrote:
> This depends entirely on the pool, and it's use cases.  If you have
> an isolated/sandbox'd pool then you are correct.

I've beem managing a pool on an open network for five years. It had been
running for 3-4 years prior to my inheriting it. No site-wide firewalls,
no SELinux, just some iptables rules to constrain Condor and NFS (we
need it for shared storage) to the LAN. I've had one compromise and that
was due to a bad passord.


> However if you let others flock to your pool, it would be unwise to disable. 

If they can flock to the pool then they have unfettered local access to
the execute nodes. SELinux makes it *easier* for them to exploit local
privilege escalation vulnerabilities in the kernel. It makes your pool
*less* secure against the kinds of threats that you're most likely to
encounter.

-- 
Rich Pieri <ratinox@xxxxxxx>
MIT Laboratory for Nuclear Science