[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] little selinux glitch with rpm package (CentOS 6 x86_64)

Tim St Clair wrote:
> This depends entirely on the pool, and it's use cases.  If you have
> an isolated/sandbox'd pool then you are correct.

I've beem managing a pool on an open network for five years. It had been
running for 3-4 years prior to my inheriting it. No site-wide firewalls,
no SELinux, just some iptables rules to constrain Condor and NFS (we
need it for shared storage) to the LAN. I've had one compromise and that
was due to a bad passord.

> However if you let others flock to your pool, it would be unwise to disable. 

If they can flock to the pool then they have unfettered local access to
the execute nodes. SELinux makes it *easier* for them to exploit local
privilege escalation vulnerabilities in the kernel. It makes your pool
*less* secure against the kinds of threats that you're most likely to

Rich Pieri <ratinox@xxxxxxx>
MIT Laboratory for Nuclear Science