Enabling SELinux context switching for IBM Spectrum Conductor

By default, all processes started by PEM will run in the same domain as LIM process (that is, in the unconfined_t domain); all Docker processes will run in the docker_t domain. If your Linux® environment is enabled for SELinux, you can switch these processes run with the execution user's security context. To configure this context switch, add the EGO_ENABLE_SELINUX_CTX_SWITCH parameter, and set it to a value of Y to switch the security context in the ego.conf file. Configure this on each management and compute hosts in the cluster.

Before you begin

SELinux context switching is supported for IBM® Spectrum Conductor on Red Hat Enterprise Linux (RHEL); therefore, before enabling SELinux context switching, your Linux environment must be first be enabled for SELinux; refer to your RHEL documentation to configure SELinux.

In an SELinux enabled environment, you must let the LIM process run in the unconfined_t domain. There are two ways to achieve this:
  • If the cluster administrator OS user is allowed to use sudo to root, follow these steps to run LIM in the unconfined_t domain:
    1. Log on to the host as the root user, and follow the steps in the Red Hat documentation, Configuring the sudo Transition, to use staff_r as the default_role_r and to use unconfined_r as the administrator_r. Additionally, ensure the corresponding SELinux user has the system_r role.
      Here is an example where egoadmin is the cluster administrator OS user, and the egoadmin_selinux_u is the corresponding SELinux user:
      # semanage user -a -r s0-s0:c0.c1023 -R "staff_r unconfined_r system_r" egoadmin_selinux_u
# cp /etc/selinux/targeted/contexts/users/staff_u /etc/selinux/targeted/contexts/users/egoadmin_selinux_u
# semanage login -a -s egoadmin_selinux_u -rs0:c0.c1023 egoadmin
# restorecon -FR -v /home/egoadmin
# echo "egoadmin ALL=(ALL) TYPE=unconfined_t ROLE=unconfined_r /bin/sh " > /etc/sudoers.d/egoadmin
    2. Log on to the host as the cluster administrator OS user, run sudo -i to switch to the unconfined security context, and then start the cluster.
  • If the cluster administrator OS user is allowed to switch (su) to root, follow these steps to run LIM in the unconfined_t domain:
    1. Log on to the host as root user, specify sysadm_r as the default SELinux role and unconfined_r as the supplementary role for the user's SELinux user. Additionally, ensure the correspond SELinux user has system_r role.

      Here is an example where egoadmin is the cluster administrator OS user, and the egoadmin_selinux_u is the corresponding SELinux user:

      # semanage user -a -r s0-s0:c0.c1023 -R "sysadm_r unconfined_r system_r" egoadmin_selinux_u
# cp /etc/selinux/targeted/contexts/users/sysadm_u /etc/selinux/targeted/contexts/users/egoadmin_selinux_u
# semanage login -a -s egoadmin_selinux_u -rs0:c0.c1023 egoadmin
# restorecon -FR -v /home/egoadmin
    2. Log on to the host as the cluster administrator OS user, run su -l to root, and then start the cluster.
Note: For both methods, SELinux must be enabled in enforcing (not permissive) mode before installing your IBM Spectrum Conductor cluster. For more details about the SELinux modes, refer to your SELinux documentation.

You install the IBM Spectrum Conductor cluster after the cluster administrator OS user is mapped to the SELinux user (that is, after step 1 in either method), to ensure the cluster installation directory and files are in the right security context.

Procedure

  1. To allow processes to run with the real user's default security context, switch the security context by configuring the EGO_ENABLE_SELINUX_CTX_SWITCH parameter in the $EGO_CONFIDIR/ego.conf file; add the EGO_ENABLE_SELINUX_CTX_SWITCH parameter with a value of Y: 
    EGO_ENABLE_SELINUX_CTX_SWITCH=Y
    Note: PEM will not switch security context for processes which will run as the cluster administrator OS user. These processes will still run in the same domain as LIM process.
  2. Optional: By default, EGO will get the user's security context from the sshd (OpenSSH server process) context. To change from which context EGO will get the default security context for the user, configure the EGO_SELINUX_FROM_CONTEXT parameter to specify the context, in the format user:role:type:range. For example: 
    EGO_SELINUX_FROM_CONTEXT=system_u:system_r:local_login_t:s0
    If this parameter is not defined, the system uses the sshd security context.
  3. Optional: (Applicable to Docker cases): By default, when impersonation mode is enabled, the Docker controller process will impersonate the Docker container execution user as the host user with same username, which will cause a query of all user groups from the host (an operation that can take much time in the environment; for example, when there are large amounts of user groups and the LDAP server response is slow to query). To avoid querying user groups, configure the EGO_IGNORE_DOCKER_IMPERSONATE_MODE parameter with a value of Y. Do this on the host that runs Docker containers without considering the impersonation mode (impersonation mode is defined by the ImpersonateMode parameter in the service profile). When this parameter is set to Y, ensure that the execution user exists in the Docker image with expected user ID and group IDs.
  4. Save and close the ego.conf file.
  5. Ensure that the following directories, and all their sub-directories, are readable, writable, and executable by everyone (permission mode 777).
    • $EGO_ESRVDIR/rs/deploy/.global
    • $SOAM_HOME/deploy
  6. (Applicable to Docker cases): If you use a conda environment for notebooks, add the SELinux Python bindings-related libraries and files into each conda environment, to ensure that the SELinux module works for Python in conda:
    1. Add the SELinux Python bindings-related libraries and files into each conda environment:
      Conda-Python3.7
      Build the SELinux Python bindings-related library from the SELinux project source code (use version 3.0 or later). If you do not have the matching libraries and files for Python3.7 in conda:
      1. Go to the libselinux/src/ directory and edit the setup.py file to specify the include_dirs and library_dirs values.
      2. Build the Python bindings:
        $ python3.7 setup.py install
      3. Ensure that the following files build successfully:
        • _selinux.cpython-37m-x86_64-linux-gnu.so
        • audit2why.cpython-37m-x86_64-linux-gnu.so
        • libselinux.so
      Conda-Python2.7
      Get the SELinux Python bindings-related libraries and files from the /usr/lib64/python2.7/site-packages/selinux/ directory of the RHEL 7 host which has the libselinux-python package installed. Get these files:
      • __init__.py
      • _selinux.so
      • audit2why.so
    2. Copy the following libraries and files to each conda environment:
      Conda-Python3.7
      1. Create a selinux directory under the conda environment's lib/python3.7/site-packages/ directory.
      2. Copy the following files to the newly created selinux directory and rename the libraries to _selinux.so and audit2why.so:
        • _selinux.cpython-37m-x86_64-linux-gnu.so
        • audit2why.cpython-37m-x86_64-linux-gnu.so
      3. Copy the libselinux/src/selinux.py file from your SElinux source code to the newly created selinux directory, and rename it to __init__.py.
      4. Copy the following libraries to the conda environment's lib/ directory:
        • libselinux.so
        • libselinux.so.1
      Conda-Python2.7
      1. Create a selinux directory under the conda environment's lib/python2.7/site-packages/ directory.
      2. Copy the following files to the new created selinux directory:
        • __init__.py
        • _selinux.so
        • audit2why.so
    3. Verify the previous changes take effect, by using the Python in the conda environment. For example, using Python 3.7 as an example, run: 
      # /opt/cws250/sigs/mini_conda_egoadmin/anaconda/envs/miniconda482-python3-linux-x86_64-jupyter-base/bin/python
Python 3.7.6 (default, Jan  8 2020, 19:59:22)
[GCC 7.3.0] :: Anaconda, Inc. on linux
Type "help", "copyright", "credits" or "license" for more information.
    >>> import selinux
    >>> selinux.is_selinux_enabled()
    >>> 1
  7. Repeat the ego.conf configurations on each management and compute host.
  8. Add the RS_RUN_DEPLOY_AS_HOOK_EXEC_USER environment variable with a value of Y in the EGO service RS profile, to allow deployment of an instance group as the execution user.
  9. Stop all instance groups and all EGO services, and restart the whole cluster, so that your configuration changes take effect.

What to do next

Once you have enabled SELinux context switching for IBM Spectrum Conductor, then verify that your IBM Spectrum Conductor cluster works in an SELinux-enabled environment.