SELinux considerations

To simplify the configuration of the IBM Spectrum Scale for object storage environment, the installation process detects whether SELinux is enabled or not. If SELinux is enabled, the installation process performs steps so that the object services and the database software running on the protocol nodes can interact with the required file system and system resources.

The openstack-selinux package is installed automatically when the spectrum-scale-object RPM is installed. This configures the object services for SELinux.

If the installer detects that SELinux is enabled, it does the following steps:

  1. Ensures that the Postgres database can access the Keystone database directory on the CES shared root file system:
    semanage fcontext -a -t postgresql_db_t "<keystone db directory>(/.*)?"
semanage fcontext -a -t postgresql_log_t "<keystone db directory>/log(/.*)?"                                                
restorecon -R "<keystone db directory>"
  2. Ensures that object processes can access the object data fileset:
    semanage fcontext -a -t swift_data_t "<object fileset directory>(/.*)?"
restorecon -R <object fileset directory>/*
Attention: If SELinux is disabled during installation of IBM Spectrum Scale for object storage, enabling SELinux after installation is not supported.

SELinux packages required for IBM Spectrum Scale for object storage

IBM Spectrum Scale for object storage requires the following SELinux packages to be installed:
  • selinux-policy-base at 3.13.1-23 or higher
  • selinux-policy-targeted at 3.12.1-153 or higher
Parent topic: Planning for object storage deployment
Related concepts:
Load balancing
Cluster host name
Authentication method
Backup and disaster recovery strategy
Eventual consistency model
Planning for unified file and object access
Planning for multi-region object deployment