IBM Spectrum Symphony and Security-Enhanced Linux (SELinux)
Security-Enhanced Linux® (SELinux) allows users and administrators more control over access control. In an SELinux-enabled environment, IBM® Spectrum Symphony can run processes (started by PEM, and Docker container processes used for IBM Spectrum Symphony), with the execution user's default SELinux security context, corresponding to the execution user's SELinux context when the user logs in to the host using SSH. Specifically, SELinux allows these processes to run with the default security context of the execution user, corresponding to the SELinux user's context when the user logs in to the host using SSH. To enable your Linux environment for SELinux (and to switch SELinux context for IBM Spectrum Symphony), follow your Red Hat Enterprise Linux (RHEL) documentation to configure your Linux system for SELinux.
- Access control by policies: without SELinux (that is, with only standard Linux access controls), users, or the applications run by users, can modify file modes (such as -rwxr-xr-x). With SELinux, however, a policy determines the access controls, and users cannot change these access controls.
- Finer granularity to access controls: instead of only specifying who can read, write, or execute a file, SELinux lets you specify who can take action on a file (for instance, who can unlink, append, move a file). Additionally, use SELinux to specify access to resources other than files, such as network resources and interprocess communication (IPC).
- Security context: SELinux requires a security context to be associated with every
process and object used by the security server. The context is use to decide if access should be
granted, as defined by the policy. Within SELinux, a security context is represented as
variable-length strings that defines the SELinux user, their role, a
type identifier, and an optional multi-category security (MCS) or multi-level security
(MLS) range or level. As such, an SELinux security context uses the format
user:role:type[:range]
; for example,system_u:system_r:local_login_t:s0
.
By default, all processes started by PEM will run in the same domain as LIM
processes (that is, in the unconfined_t
domain) and LIM must run in
unconfined_t
domain in an SELinux enabled environment; all Docker processes will
run in the docker_t
domain. To allow these processes run with the process' real
user default security context, on each management and compute hosts in the cluster, configure the
EGO_ENABLE_SELINUX_CTX_SWITCH parameter in the ego.conf
file
to switch the security context.