Enabling SELinux in ESS
Enabling SELinux in an ESS environment is a two-step process and it can be enabled for EMS and I/O server nodes using the selinux sub-command of the ess3krun command.
By default, any node in an ESS cluster has SELinux disabled. You can run the selinux sub-command of the ess3krun command to enable or disable SELinux on nodes. This command can be run after the deployment of EMS node or I/O server nodes is complete.
-
Enable SELinux on the EMS node as follows.
- Run the selinux sub-command on the EMS node.
# ess3krun -N ems1 selinux permissive
Note: Make sure that you reboot the node when the selinux sub-command completes. - Reboot the node.
# systemctl reboot
The node is rebooted and it comes up with SELinux in Permissive mode.# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 31
- Rerun the selinux sub-command with the enable
option to enforce SELinux.
# ess3krun -N ems1 selinux enable
No reboot is required in this case.# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 31
After SELinux is enabled, kernel logs any activity in the /var/log/audit/audit.log file. - Run the selinux sub-command on the EMS node.
- Enable SELinux on I/O server nodes as follows.
- Run the selinux sub-command on the I/O server nodes.
# ess3krun -G ess_x86_64 selinux permissive
Note: Make sure that you reboot the node when the selinux sub-command completes. - Reboot the I/O server nodes.
# systemctl reboot
The node is rebooted and it comes up with SELinux in Permissive mode.
- Rerun the selinux sub-command with the enable
option to enforce SELinux.
# ess3krun -G ess_x86_64 selinux enable
No reboot is required in this case.
After SELinux is enabled, kernel logs any activity in the /var/log/audit/audit.log file. - Run the selinux sub-command on the I/O server nodes.
- Disable SELinux on ESS nodes as follows.
- To disable SELinux on the EMS node, use the following
command.
# ess3krun -N ems1 selinux disable
Reboot the node after the command completes. When the node comes up after reboots, SELinux is disabled.
You can check the status as follows.# sestatus SELinux status: disabled
- To disable SELinux on the I/O server nodes, use the following
command.
# ess3krun -G ess_x86_64 selinux disable
Reboot the node after the command completes. When the node comes up after reboots, SELinux is disabled. Any I/O server node name can also be used instead of the group name.
Protocol node consideration: Protocol node deployment is not supported with ESS 3000 version 6.0.0.2 container.Additional information: Any mentioned security item is an optional feature and you can enable it on demand for an ESS cluster. Security commands can be run using the ess3krun command after deployment of the node is done and before creating the GPFS cluster. In upgrade cases, any such security commands must be run after stopping the GPFS cluster. Do not attempt to run any security command while GPFS cluster is up and running.Container consideration: Make sure that none of the security command is run against the container node. The container has a very light footprint of Red Hat Enterprise Linux® 7.x OS on which any security parameters are not supported. - To disable SELinux on the EMS node, use the following
command.