SELinux considerations

To simplify the configuration of the IBM Storage Scale for Object Storage environment, the installation process detects whether SELinux is enabled or not. If SELinux is enabled, the installation process performs steps so that the object services and the database software that runs on the protocol nodes can interact with the required file system and system resources.

The openstack-selinux package is installed automatically when the spectrum-scale-object package is installed. This packages installation configures the object services for SELinux.

If the installer detects that SELinux is enabled, it does the following steps:

  1. Ensures that the Postgres database can access the Keystone database directory on the CES shared root file system:
    semanage fcontext -a -t postgresql_db_t "<keystone db directory>(/.*)?"
semanage fcontext -a -t postgresql_log_t "<keystone db directory>/log(/.*)?"                                                
restorecon -R "<keystone db directory>"
  2. Ensures that object processes can access the object data fileset:
    semanage fcontext -a -t swift_data_t "<object fileset directory>(/.*)?"
restorecon -R <object fileset directory>/*
Attention:
  • The object protocol is not supported in IBM Storage Scale 5.1.0.0. If you want to deploy object, install the IBM Storage Scale 5.1.0.1 or a later release.
  • If SELinux is disabled during installation of IBM Storage Scale for object storage, enabling SELinux after installation is not supported.

SELinux packages required for IBM Storage Scale for Object Storage

When the IBM Storage Scale object protocol is installed, the following SELinux packages are also installed:
  • selinux-policy-base at 3.13.1-23 or higher
  • selinux-policy-targeted at 3.12.1-153 or higher

When you use the object protocol, you cannot enable SELinux after the IBM Storage Scale installation. Contact IBM Storage Scale support by sending an email to scale@us.ibm.com, if you have questions about this restriction.