Setting SELinux to Enforcing on IAS

Security Enhanced Linux (SELinux) provides an extra layer of system security.

SELinux implements Mandatory Access Control (MAC). For more information, see this Red Hat page.

SELinux can run in 1 of the 3 modes:
  • enforcing
  • permissive
  • disabled
On IAS, SELinux is set to permissive by default. In the permissive mode, the system acts as if SELinux is enforcing the loaded security policy, including labeling objects and emitting access denial entries in the logs. The system does not deny any operations. In the enforcing mode, SELinux operates normally, enforcing the loaded security policy on the entire system.
The configure_selinux.py script manages the SE Linux settings.
  • It's located on every node at /opt/ibm/appliance/platform/xcat/scripts/xcat/configure_selinux.py.
  • You can run it from any node although it's recommended that you run it from the head node.
  • The script applies the changes on all the nodes.
  • The log file is located in /var/log/appliance/platform/xcat/configure_selinux.log.tracelog .

The configure_selinux.py script

[root@e1n1 ~]# /opt/ibm/appliance/platform/xcat/scripts/xcat/configure_selinux.py --h

usage: configure_selinux.py [-h] [--set_enforcing] [--set_permissive]
[--verify_enforcing] [--verify_permissive]
This script will manage selinux settings

optional arguments:
-h, --help           show this help message and exit
--set_enforcing
--set_permissive
--verify_enforcing
--verify_permissive
[root@e1n1 ~]#
-h | --help
Displays this help message and exits.
--set_enforcing
Sets SELinux to the enforcing mode.
--set_permissive
Sets SE Linux to the permissive mode. You can verify the outcome of the command by running the sestatus command. For example:
[root@e1n1 ~]# /opt/ibm/appliance/platform/xcat/scripts/xcat/configure_selinux.py --set_permissive
Done
[root@e1n1 ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      31

[root@e1n1 ~]#
--verify_enforcing
Verifies whether the SELinux mode is set to enforcing or not. If the mode is enforcing, the script runs successfully and doesn't return any errors. For example:
  • SELinux mode is set to enforcing:
    [root@e1n1 ~]# /opt/ibm/appliance/platform/xcat/scripts/xcat/configure_selinux.py --verify_enforcing
    [root@e1n1 ~]#
  • SELinux mode is not set to enforcing:
    [root@e1n1 ~]# /opt/ibm/appliance/platform/xcat/scripts/xcat/configure_selinux.py --.
    verify_enforcing
    WARN: SELinux is not in enforcing mode on e1n1..
    WARN:  Current mode is: Permissive
    WARN:
    [root@e1n1 ~]#
--verify_permissive
Verifies whether the SELinux mode is set to permissive or not. If the mode is permissive, the script runs successfully and doesn't return any errors. For example:
  • SELinux mode is set to permissive:
    [root@e1n1 ~]# /opt/ibm/appliance/platform/xcat/scripts/xcat/configure_selinux.py --verify_permissive`
    [root@e1n1 ~]#
  • SELinux mode is not set to permissive:
    [root@e1n1 ~]# /opt/ibm/appliance/platform/xcat/scripts/xcat/configure_selinux.py --verify_permissive`
    WARN: SELinux is not in permissive mode on e1n1..`
    WARN:  Current mode is: Enforcing
    WARN:
    [root@e1n1 ~]#

Procedure

  1. Log in as the root user.
  2. To set SELinux to Enforcing, run the configure_selinux.py script with the --set_enforcing parameter from any node.
    [root@e1n1 ~]# /opt/ibm/appliance/platform/xcat/scripts/xcat/configure_selinux.py --set_enforcing
  3. You can verify the outcome of the command by running the sestatus command.
    sestatus
    Example:
    [root@e1n1 ~]# /opt/ibm/appliance/platform/xcat/scripts/xcat/configure_selinux.py --set_permissive
    Done
    [root@e1n1 ~]# sestatus
    SELinux status:                 enabled
    SELinuxfs mount:                /sys/fs/selinux
    SELinux root directory:         /etc/selinux
    Loaded policy name:             targeted
    Current mode:                   permissive
    Mode from config file:          permissive
    Policy MLS status:              enabled
    Policy deny_unknown status:     allowed
    Max kernel policy version:      31
    
    [root@e1n1 ~]#
  4. Verify if the SELinux mode is enforcing:
    /opt/ibm/appliance/platform/xcat/scripts/xcat/configure_selinux.py --verify_enforcing
    Example:
    [root@e1n1 ~]# /opt/ibm/appliance/platform/xcat/scripts/xcat/configure_selinux.py --verify_enforcing
    [root@e1n1 ~]#