Configuring SELinux on Cloud Pak for Data System
You use the configure_selinux.py script to configure Security-Enhanced Linux settings on Cloud Pak for Data System.
About this task
Security Enhanced Linux (SELinux) provides an extra layer of system security. It implements Mandatory Access Control (MAC). For more information, see this Red Hat page.
SELinux can run in one of the three modes:enforcing
permissive
disabled
permissive
by default. In the permissive
mode, the system acts as
if SELinux is enforcing the loaded security policy, including labeling objects and emitting access
denial entries in the logs. The system does not deny any operations. In the
enforcing
mode, SELinux operates normally, enforcing the loaded security policy on
the entire system.The script is located on every node at: /opt/ibm/appliance/platform/xcat/scripts/xcat/configure_selinux.py
This script applies the changes on all the nodes. It can be run from any node (recommended head node).
Log file location: /var/log/appliance/platform/xcat/configure_selinux.log.tracelog
Usage:
/opt/ibm/appliance/platform/xcat/scripts/xcat/configure_selinux.py --h
[root@e1n1 ~]# /opt/ibm/appliance/platform/xcat/scripts/xcat/configure_selinux.py --h
usage: configure_selinux.py [-h] [--set_enforcing] [--set_permissive]
[--verify_enforcing] [--verify_permissive]
This script will manage selinux settings
optional arguments:
-h, --help show this help message and exit
--set_enforcing
--set_permissive
--verify_enforcing
--verify_permissive
[root@e1n1 ~]#
- --set_enforcing
- This option sets SELinux to enforcing mode. Same can be verified by running sestatus command.
- --set_permissive
- This option sets SELinux to permissive mode. Same can be verified by running
sestatus command.
[root@e1n1 ~]# /opt/ibm/appliance/platform/xcat/scripts/xcat/configure_selinux.py --set_permissive Done [root@e1n1 ~]# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 31 [root@e1n1 ~]#
- --verify_enforcing
- This option can be used to verify if SELinux mode is enforcing or not. If the mode is enforcing,
the script will run successfully and won’t give any
error.
Failure case:[root@e1n1 ~]# /opt/ibm/appliance/platform/xcat/scripts/xcat/configure_selinux.py --verify_enforcing [root@e1n1 ~]#
[root@e1n1 ~]# /opt/ibm/appliance/platform/xcat/scripts/xcat/configure_selinux.py --. verify_enforcing WARN: SELinux is not in enforcing mode on e1n1.. WARN: Current mode is: Permissive WARN: [root@e1n1 ~]#
- --verify_permissive
- This option can be used to verify if SELinux mode is permissive or not. If the mode is
permissive, the script run successfully and won’t give any error.
Example:
Failure case:[root@e1n1 ~]# /opt/ibm/appliance/platform/xcat/scripts/xcat/configure_selinux.py --verify_permissive` [root@e1n1 ~]#
[root@e1n1 ~]# /opt/ibm/appliance/platform/xcat/scripts/xcat/configure_selinux.py --verify_permissive` WARN: SELinux is not in permissive mode on e1n1..` WARN: Current mode is: Enforcing WARN: [root@e1n1 ~]#