Enabling SELinux in ESS

Enabling SELinux in an ESS environment is a two-step process and it can be enabled for EMS and I/O server nodes using the selinux sub-command of the ess3krun command.

By default, any node in an ESS cluster has SELinux disabled. You can run the selinux sub-command of the ess3krun command to enable or disable SELinux on nodes. This command can be run after the deployment of EMS node or I/O server nodes is complete.

Enable SELinux on the EMS node as follows.

Run the selinux sub-command on the EMS node.
```
# ess3krun -N ems1 selinux permissive
```
Note: Make sure that you reboot the node when the selinux sub-command completes.

Reboot the node.

# systemctl reboot

The node is rebooted and it comes up with SELinux in Permissive mode.

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      31

Rerun the selinux sub-command with the enable option to enforce SELinux.

# ess3krun -N ems1 selinux enable

No reboot is required in this case.

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      31

After SELinux is enabled, kernel logs any activity in the /var/log/audit/audit.log file.

Enable SELinux on I/O server nodes as follows.
1. Run the selinux sub-command on the I/O server nodes.
```
# ess3krun -G ess_x86_64 selinux permissive
```
  Note: Make sure that you reboot the node when the selinux sub-command completes.
2. Reboot the I/O server nodes.
```
# systemctl reboot
```
  The node is rebooted and it comes up with SELinux in Permissive mode.
3. Rerun the selinux sub-command with the enable option to enforce SELinux.
```
# ess3krun -G ess_x86_64 selinux enable
```
  No reboot is required in this case.
After SELinux is enabled, kernel logs any activity in the /var/log/audit/audit.log file.
Disable SELinux on ESS nodes as follows.
- To disable SELinux on the EMS node, use the following command.
```
# ess3krun -N ems1 selinux disable
```
  Reboot the node after the command completes. When the node comes up after reboots, SELinux is disabled.
  You can check the status as follows.
```
# sestatus
SELinux status:                 disabled
```
- To disable SELinux on the I/O server nodes, use the following command.
```
# ess3krun -G ess_x86_64 selinux disable
```
  Reboot the node after the command completes. When the node comes up after reboots, SELinux is disabled. Any I/O server node name can also be used instead of the group name.
Protocol node consideration: Protocol node deployment is not supported with ESS 3000 version 6.0.0.2 container.

Additional information: Any mentioned security item is an optional feature and you can enable it on demand for an ESS cluster. Security commands can be run using the ess3krun command after deployment of the node is done and before creating the GPFS cluster. In upgrade cases, any such security commands must be run after stopping the GPFS cluster. Do not attempt to run any security command while GPFS cluster is up and running.

Container consideration: Make sure that none of the security command is run against the container node. The container has a very light footprint of Red Hat Enterprise Linux® 7.x OS on which any security parameters are not supported.