Add a cluster policy to allow enforcing sVirt/SELinux on all hosts within a cluster. [Mockup Image attached] On "add/edit cluster" Window add a tab "Security Policy" which will include configuration options for - sVirt Cluster Policy with options: Enforcing, Permissive, None. Clusters' behaviour on each mode: sVirt Enforcing: All hosts within the cluster must run with SELinux enabled. - When enabling sVirt Enforcing mode, engine to check if all hosts within the cluster have SELinux turned on, if not - enabling sVirt Enforcing policy will fail with appropriate error message. - When adding a new host to sVirt Enforcing cluster, if the host does not have SELinux enabled - the host will fail to join the cluster with appropriate error message. - When a host changes SELinux Enforcing to SELinux permissive, host will be considered as compromised, an alert should be generated and the host should change status to non-responsive, Admin should be able to configure sVirt policy to migrate running VMs from compromised hosts before changing status to non-operational. sVirt Permissive: Engine continues to monitor hosts' SELinux status, and add alerts instead of talking actions. - When enabling sVirt Permissive mode, engine to check which host within the cluster do not have SELinux enabled and generate alert for each host without SELinux enabled. - When adding a new host, if host does not have SELinux enabled, an alert will be generated saying the host does not have SELinux enabled and succeed to join the cluster. - When a host changes status from Enforcing to Permissive, an alert will be generated. None: - Hosts' SELinux status will be ignored by engine. Hosts' general sub-tab should display SELinux status sVirt: http://www.redhat.com/rhecm/rest-rhecm/jcr/repository/collaboration/jcr:system/jcr:versionStorage/cddeee980a070d54511c17e2d78baed5/3/jcr:frozenNode/rh:pdfFile.pdf
Created attachment 885058 [details] sVirt Cluster Policy Mockup
*** Bug 1086372 has been marked as a duplicate of this bug. ***
CFME should provide the option for compliance checks. should be part of RHV and CFME integration.