My "test" boxes (well, they are in fact production systems) are now all up and running SELinux with a "strict" policy and in enforcing mode, after some weeks in "permissive" mode to detect the last missing policy rules (well, maybe I'm still missing something in cron.monthly?)

What took most of the time was in fact to write policy for some services or custom applications that didn't have one before. And that I basically was just checking the logs every day to see if some new audit errors had appeared. Oh, and inbetween we completely emptied the server racks and their wiring and redid the room...

Just to mention a few things that were "missing": My OpenVPN is running a custom script to update DNS on login and logout, which obviously was missing from the SELinux policy. I'm also using heartbeat to failover between the two firewalls and two mailservers; that policy took me probably one hour (without much previous experience) to write. Then I have another custom LDAP to aliases for a Lotus directory (which hopefully will be replaced by a sane application soon... whoever invented "implicite email adresses" should be shot. Just put all email adresses into the directory, so any app can look them up without trying to guess what your generation rules are... firstname.lastname@domain.tld sounds easy, but what with non-ascii characters?)

Anyway, the systems are doing pretty well. Maybe I'm going to enabled SELinux on the web server next. ( (cra-)PHP and typo3 will probably make that more difficult, though...)

Oh, and I need to sort out which of my policy changes are local changes, and which I should feed "upstream".