Security Enhanced Linux (SELinux)

SELinux is code that runs in user-space, taking advantage of kernel code (Linux Security Modules) to provide Mandatory Access Control (MAC) over system resources. Processes are confined to domains, which can be thought of as sandboxes. Access to system objects and capabilities like files, message queues, semaphores, networking is controlled on a per-domain basis following the principle of least privilege.

Directories and files are labeled with a persistent type in SELinux that is separate from usual UNIX Discretionary Access Controls (DAC). This extra layer allows tighter control over access to objects: if an intruder gains control of a process owned by a user, access to all files owned by that user is not automatically granted. The type of access (read, write, create) can also be controlled by SELinux.

SELinux can operate in three modes: disabled, permissive, or enforcing. Switching between modes may require a reboot.
  • "Disabled" means no access checking or logging is performed.
  • "Permissive" means access violations are logged, but are permitted to occur.
  • "Enforcing" means the policy is enforced, and access will be denied if it has not been permitted in the policy.

SELinux depends on operating system configurations that exist outside of Db2®. Db2 is not an "SELinux-aware" application that is aware of SELinux in operation, and as such does not make dynamic changes to SELinux properties while the database server is in operation. Thus all configuration changes must be made to the policy files that governs behavior permitted by Db2.

When Db2 is installed, and the default "targeted" policy is configured, the Db2 processes will run in the "unconfined" domain. This will work and Db2 is able to run as it did before SELinux was introduced or enabled.

For samples on SELinux policies, refer to SELinux sample policies.

Sample policy files are provided to enable Db2 processes to run in the confined domain providing additional protection. These samples are provided as a starting point, they will require modification for your environment. Db2 technical support is not able to assist with the configuration of SELinux or the use of the samples. Any failures introduced by SELinux policies are the customers responsibilities to resolve. However, the use of Db2 in an environment where SELinux is in permissive or enforcing modes is supported, as long as failures are not the result of SELinux policy configuration.