IBM Spectrum Symphony and Security-Enhanced Linux (SELinux)

Security-Enhanced Linux® (SELinux) allows users and administrators more control over access control. In an SELinux-enabled environment, IBM® Spectrum Symphony can run processes (started by PEM, and Docker container processes used for IBM Spectrum Symphony), with the execution user's default SELinux security context, corresponding to the execution user's SELinux context when the user logs in to the host using SSH. Specifically, SELinux allows these processes to run with the default security context of the execution user, corresponding to the SELinux user's context when the user logs in to the host using SSH. To enable your Linux environment for SELinux (and to switch SELinux context for IBM Spectrum Symphony), follow your Red Hat Enterprise Linux (RHEL) documentation to configure your Linux system for SELinux.

In Linux, access can be constrained by variables, so that users and applications can access only those resources (such as files) to which they are authorized. SELinux provides these security benefits:
  • Access control by policies: without SELinux (that is, with only standard Linux access controls), users, or the applications run by users, can modify file modes (such as -rwxr-xr-x). With SELinux, however, a policy determines the access controls, and users cannot change these access controls.
  • Finer granularity to access controls: instead of only specifying who can read, write, or execute a file, SELinux lets you specify who can take action on a file (for instance, who can unlink, append, move a file). Additionally, use SELinux to specify access to resources other than files, such as network resources and interprocess communication (IPC).
  • Security context: SELinux requires a security context to be associated with every process and object used by the security server. The context is use to decide if access should be granted, as defined by the policy. Within SELinux, a security context is represented as variable-length strings that defines the SELinux user, their role, a type identifier, and an optional multi-category security (MCS) or multi-level security (MLS) range or level. As such, an SELinux security context uses the format user:role:type[:range]; for example, system_u:system_r:local_login_t:s0.

By default, all processes started by PEM will run in the same domain as LIM processes (that is, in the unconfined_t domain) and LIM must run in unconfined_t domain in an SELinux enabled environment; all Docker processes will run in the docker_t domain. To allow these processes run with the process' real user default security context, on each management and compute hosts in the cluster, configure the EGO_ENABLE_SELINUX_CTX_SWITCH parameter in the ego.conf file to switch the security context.