Verifying your IBM Spectrum Conductor cluster after switching the SELinux context

After you have enabled SELinux context switching for IBM® Spectrum Conductor, verify that the context switching works adequately for your cluster. Verify using an end-to-end IBM Spectrum Conductor use case in your cluster, that verifies that the processes will run with the default security context of the execution user. It includes creating and starting an instance group, running the SparkPi Spark application, and then checking the security context of the corresponding processes.

Before you begin

This use case uses the following information; ensure you have set up these prerequisites to use the use case for your verification:
  • The cluster administrator OS user has been mapped to the SELinux user egoadmin_selinux_u using one of the methods when letting the LIM process run in the unconfined_t domain.
  • The execution user is a Linux user called userA, and its SELinux user is user_u, with a default security context of user_u:user_r:user_t:s0.
  • The IBM Spectrum Conductor cluster is installed under the /opt directory, and the security context for the /opt directory is with type usr_t.
  • Check if the selinuxuser_tcp_server is enabled; if not, set it by running the setsebool selinuxuser_tcp_server=on command.
  • The instance group deployment directory's SELinux context is with type usr_t.

Procedure

  1. Prepare your environment to create and install a custom policy called testpolicy to allow security context switching from unconfined_t to user_t:
    1. Start the IBM Spectrum Conductor cluster under unconfined security context (as described for in letting the LIM process run in the unconfined_t domain).
    2. Determine the security context for the LIM process. For example, here is an example of egoadmin_selinux_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root as the security context: 
      # ps -fZp 19647
LABEL         UID        PID  PPID  C STIME TTY          TIME CMD
egoadmin_selinux_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 19647 1  0 Oct14 ? 00:04:04 /opt/ cws250/3.9/linux-x86_64/etc/lim
    3. As root, map Linux® user userA to SELinux user user_u: 
      # semanage login -a -s user_u userA
    4. On each management and compute host, create and install a custom policy called testpolicy, to allow security context switching from unconfined_t to user_t:
      1. Create the policy file testpolicy.te with the following content:
        policy_module(testpolicy, 1.0)

gen_require(`
  type unconfined_t;
  type user_t;
  type tmp_t;
  type tmpfs_t;
  type pki_ca_port_t;
  type unreserved_port_t;
  type rpm_script_tmp_t;
  type usr_t;
  role unconfined_r;
  role user_r;
')
allow unconfined_r user_r;
allow unconfined_t user_t:process transition;
allow user_t tmp_t:dir setattr;
allow user_t tmpfs_t:lnk_file read;
allow user_t unconfined_t:sem { unix_read associate unix_write getattr read write };
allow user_t pki_ca_port_t:tcp_socket name_bind;
allow user_t unreserved_port_t:tcp_socket name_bind;
allow user_t rpm_script_tmp_t:dir { add_name create setattr write remove_name rmdir };
allow user_t rpm_script_tmp_t:file { create rename unlink };
allow user_t usr_t:dir { write create add_name remove_name setattr rmdir };
allow user_t usr_t:file { write execmod rename create unlink append link relabelfrom relabelto setattr };
allow user_t usr_t:lnk_file { create setattr unlink };
        Tip: For details about rules for an SELinux and IBM Spectrum Conductor policy, see Required SELinux rules for an IBM Spectrum Conductor cluster.
      2. Build the testpolicy policy:
        # make -f /usr/share/selinux/devel/Makefile testpolicy.pp
      3. Install the testpolicy policy:
        # semodule -i testpolicy.pp
      4. Verify that the testpolicy policy successfully installed and that it is enabled:
        # semodule -l |grep testpolicy
    5. Log in to the host as user userA using SSH, and check the user's security context: 
      # id -Z
  2. Verify that processes will run with the default security context of the execution user, by creating an instance group, starting it, and then running the SparkPi application:
    1. Check the cluster status and ensure that the IBM Spectrum Conductor daemons are running well.
    2. Create an instance group called selinuxtest, specify the deployment directory to a directory under the /opt directory, and specify the execution user as userA.
    3. Start the selinuxtest instance group, and check the security context of the process of the Spark master service for batch and Spark shuffle service. The process should be in the context of user_u:user_r:user_t:s0.
    4. Submit a SparkPi sample application to the selinuxtest instance group as userA, and check the security context of the Spark driver process. The process should be in the context of user_u:user_r:user_t:s0.

Results

You have verified that your SELinux-enabled environment successfully works with your IBM Spectrum Conductor cluster.