Add a cluster policy to allow enforcing sVirt/SELinux on all hosts within a cluster. 

[Mockup Image attached] 

On "add/edit cluster" Window add a tab "Security Policy" which will include configuration options for - sVirt Cluster Policy with options: Enforcing, Permissive, None. 

Clusters' behaviour on each mode:
sVirt Enforcing:
All hosts within the cluster must run with SELinux enabled. 

- When enabling sVirt Enforcing mode, engine to check if all hosts within the cluster have SELinux turned on, if not - enabling sVirt Enforcing policy will fail with appropriate error message. 

- When adding a new host to sVirt Enforcing cluster, if the host does not have SELinux enabled - the host will fail to join the cluster with appropriate error message. 

- When a host changes SELinux Enforcing to SELinux permissive, host will be considered as compromised, an alert should be generated and the host should change status to non-responsive, Admin should be able to configure sVirt policy to migrate running VMs from compromised hosts before changing status to non-operational.


sVirt Permissive: 
Engine continues to monitor hosts' SELinux status, and add alerts instead of talking actions. 

- When enabling sVirt Permissive mode, engine to check which host within the cluster do not have SELinux enabled and generate alert for each host without SELinux enabled. 

- When adding a new host, if host does not have SELinux enabled, an alert will be generated saying the host does not have SELinux enabled and succeed to join the cluster. 

- When a host changes status from Enforcing to Permissive, an alert will be generated. 


None: 
- Hosts' SELinux status will be ignored by engine. 


Hosts' general sub-tab should display SELinux status 


sVirt: 
http://www.redhat.com/rhecm/rest-rhecm/jcr/repository/collaboration/jcr:system/jcr:versionStorage/cddeee980a070d54511c17e2d78baed5/3/jcr:frozenNode/rh:pdfFile.pdf