Configuring SELinux on Cloud Pak for Data System

You use the configure_selinux.py script to configure Security-Enhanced Linux settings on Cloud Pak for Data System.

About this task

Security Enhanced Linux (SELinux) provides an extra layer of system security. It implements Mandatory Access Control (MAC). For more information, see this Red Hat page.

SELinux can run in one of the three modes:
  • enforcing
  • permissive
  • disabled
On Cloud Pak for Data System, SELinux is set to permissive by default. In the permissive mode, the system acts as if SELinux is enforcing the loaded security policy, including labeling objects and emitting access denial entries in the logs. The system does not deny any operations. In the enforcing mode, SELinux operates normally, enforcing the loaded security policy on the entire system.

The script is located on every node at: /opt/ibm/appliance/platform/xcat/scripts/xcat/configure_selinux.py

This script applies the changes on all the nodes. It can be run from any node (recommended head node).

Log file location: /var/log/appliance/platform/xcat/configure_selinux.log.tracelog

Usage:
/opt/ibm/appliance/platform/xcat/scripts/xcat/configure_selinux.py --h
[root@e1n1 ~]# /opt/ibm/appliance/platform/xcat/scripts/xcat/configure_selinux.py --h

usage: configure_selinux.py [-h] [--set_enforcing] [--set_permissive]
[--verify_enforcing] [--verify_permissive]
This script will manage selinux settings

optional arguments:
-h, --help           show this help message and exit
--set_enforcing
--set_permissive
--verify_enforcing
--verify_permissive
[root@e1n1 ~]#
--set_enforcing
This option sets SELinux to enforcing mode. Same can be verified by running sestatus command.
Example:
[root@e1n1 ~]# /opt/ibm/appliance/platform/xcat/scripts/xcat/configure_selinux.py --set_enforcing
Done
[root@e1n1 ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      31
[root@e1n1 ~]#
--set_permissive
This option sets SELinux to permissive mode. Same can be verified by running sestatus command.
[root@e1n1 ~]# /opt/ibm/appliance/platform/xcat/scripts/xcat/configure_selinux.py --set_permissive
Done
[root@e1n1 ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      31

[root@e1n1 ~]#
--verify_enforcing
This option can be used to verify if SELinux mode is enforcing or not. If the mode is enforcing, the script will run successfully and won’t give any error.
[root@e1n1 ~]# /opt/ibm/appliance/platform/xcat/scripts/xcat/configure_selinux.py --verify_enforcing
[root@e1n1 ~]#
Failure case:
[root@e1n1 ~]# /opt/ibm/appliance/platform/xcat/scripts/xcat/configure_selinux.py --.
verify_enforcing
WARN: SELinux is not in enforcing mode on e1n1..
WARN:  Current mode is: Permissive
WARN:
[root@e1n1 ~]#
--verify_permissive
This option can be used to verify if SELinux mode is permissive or not. If the mode is permissive, the script run successfully and won’t give any error. Example:
[root@e1n1 ~]# /opt/ibm/appliance/platform/xcat/scripts/xcat/configure_selinux.py --verify_permissive`
[root@e1n1 ~]#
Failure case:
[root@e1n1 ~]# /opt/ibm/appliance/platform/xcat/scripts/xcat/configure_selinux.py --verify_permissive`
WARN: SELinux is not in permissive mode on e1n1..`
WARN:  Current mode is: Enforcing
WARN:
[root@e1n1 ~]#