Product version

The IBM App Connect Enterprise versions required for SELinux support are:

• IBM App Connect Enterprise 12.0.1.0 (or later)
• IBM App Connect Enterprise 13.0.1.0 (or later)

Operating system version

The operating system must meet the following minimum version, depending on the product version:

• Red Hat Enterprise Linux version 8.0 or later for IBM App Connect Enterprise 12.0.
• Red Hat Enterprise Linux version 8.8 or later for IBM App Connect Enterprise 13.0

There are no hardware architecture requirements: this support statement applies to all Red Hat Enterprise Linux hardware architectures supported by the stated IBM App Connect Enterprise versions.

SELinux configuration

SELinux must be configured as follows, if using IBM App Connect Enterprise outside of containers:

1. The Red Hat Enterprise Linux targeted SELinux policy provided with the operating system must be used. The SELINUXTYPE=targeted option must be set in the SELinux configuration.
2.  All IBM App Connect Enterprise applications, control commands, integration nodes and integration servers must run in an unconfined SELinux security context (for example, SELinux user `unconfined_u`).
3. Do not alter the operating system SELinux security policy to impose additional restrictions on unconfined applications.
4. SELinux must not deny access to the `/var/mqsi` directory, the product install directory, any HA work path directories used by integration nodes, or the work directory of an independent integration server by IBM App Connect Enterprise applications, control commands, integration nodes, and integration servers.
5. Use of Multi-Level Security (MLS) with multiple sensitivity levels is not supported. All of the IBM App Connect Enterprise applications, control commands, integration nodes, and integration servers on the system must run at the same SELinux sensitivity level

You can use SELinux in either enforcing or permissive mode provided these requirements are satisfied.

Verifying the Configuration

To check the SELinux configuration, run the sestatus command. If SELinux is enabled, the output should be similar to the following:

• SELinux status:                 enabled 
  SELinuxfs mount:                /selinux 
  Current mode:                   enforcing 
  Mode from config file:          enforcing 
  Policy version:                 24 
  Policy from config file:        targeted

The policy should be "targeted" and the current mode should be either "enforcing" or "permissive". The mode from config file may differ from the current mode in some cases, but it is the current mode which is significant. Note that the values of the other fields may vary between systems and may differ from those shown here.

To check which SELinux security context your command shell is using, run the id -Z command. The output should be similar to the following:

• unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

The security context should have an unconfined user (e.g. unconfined_u) running at a single sensitivity level (for example, s0). This example shows an unconfined security context suitable for running IBM App Connect Enterprise applications, control commands and queue managers. Note that the security context may vary between systems and may differ from that shown here.

Refer to your Linux support vendor if you require assistance with SELinux configuration.

Related Information