Setting SELinux to Enforcing on IAS
Security Enhanced Linux (SELinux) provides an extra layer of system security.
SELinux implements Mandatory Access Control (MAC). For more information, see this Red Hat page.
SELinux can run in 1 of the 3 modes:
enforcing
permissive
disabled
permissive
by default. In the
permissive
mode, the system acts as if SELinux is enforcing the loaded security
policy, including labeling objects and emitting access denial entries in the logs. The system does
not deny any operations. In the enforcing
mode, SELinux operates normally,
enforcing the loaded security policy on the entire system.The configure_selinux.py script manages the SE Linux settings.
- It's located on every node at /opt/ibm/appliance/platform/xcat/scripts/xcat/configure_selinux.py.
- You can run it from any node although it's recommended that you run it from the head node.
- The script applies the changes on all the nodes.
- The log file is located in /var/log/appliance/platform/xcat/configure_selinux.log.tracelog .
The configure_selinux.py script
[root@e1n1 ~]# /opt/ibm/appliance/platform/xcat/scripts/xcat/configure_selinux.py --h
usage: configure_selinux.py [-h] [--set_enforcing] [--set_permissive]
[--verify_enforcing] [--verify_permissive]
This script will manage selinux settings
optional arguments:
-h, --help show this help message and exit
--set_enforcing
--set_permissive
--verify_enforcing
--verify_permissive
[root@e1n1 ~]#
- -h | --help
- Displays this help message and exits.
- --set_enforcing
- Sets SELinux to the
enforcing
mode. - --set_permissive
- Sets SE Linux to the
permissive
mode. You can verify the outcome of the command by running the sestatus command. For example:[root@e1n1 ~]# /opt/ibm/appliance/platform/xcat/scripts/xcat/configure_selinux.py --set_permissive Done [root@e1n1 ~]# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 31 [root@e1n1 ~]#
- --verify_enforcing
- Verifies whether the SELinux mode is set to
enforcing
or not. If the mode isenforcing
, the script runs successfully and doesn't return any errors. For example: - --verify_permissive
- Verifies whether the SELinux mode is set to
permissive
or not. If the mode ispermissive
, the script runs successfully and doesn't return any errors. For example:- SELinux mode is set to
permissive
:[root@e1n1 ~]# /opt/ibm/appliance/platform/xcat/scripts/xcat/configure_selinux.py --verify_permissive` [root@e1n1 ~]#
- SELinux mode is not set to
permissive
:[root@e1n1 ~]# /opt/ibm/appliance/platform/xcat/scripts/xcat/configure_selinux.py --verify_permissive` WARN: SELinux is not in permissive mode on e1n1..` WARN: Current mode is: Enforcing WARN: [root@e1n1 ~]#
- SELinux mode is set to
Procedure
- Log in as the
root
user. - To set SELinux to
Enforcing
, run the configure_selinux.py script with the --set_enforcing parameter from any node.[root@e1n1 ~]# /opt/ibm/appliance/platform/xcat/scripts/xcat/configure_selinux.py --set_enforcing
- You can verify the outcome of the command by running the sestatus command.
Example:sestatus
[root@e1n1 ~]# /opt/ibm/appliance/platform/xcat/scripts/xcat/configure_selinux.py --set_permissive Done [root@e1n1 ~]# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 31 [root@e1n1 ~]#
- Verify if the SELinux mode is
enforcing
:
Example:/opt/ibm/appliance/platform/xcat/scripts/xcat/configure_selinux.py --verify_enforcing
[root@e1n1 ~]# /opt/ibm/appliance/platform/xcat/scripts/xcat/configure_selinux.py --verify_enforcing [root@e1n1 ~]#