Administer > SA Core and component security > SELinux security policy > SELinux security policy for Infrastructure

SELinux security policy for SA Infrastructure

This section provides information about downloading, installing, and the extending SELinux security policy for the SA Infrastructure.

Downloading the installer

  • For SA 10.5x, the SELinux RPM packages are bundled with the Server Automation installer at <mount_point>-primary/disk001/packages/Linux/6SERVER-X86_64/

The installation media is distributed as the following RPM packages:

  • hpsa_selinux_infra-<version>-<release>.x86_64.rpm

    Where <version> is the version number of the RPM package and <release> is the release number.
    This RPM package contains the prebuilt SA Infrastructure SELinux security policy module that needs to be loaded after the Agent installation.

  • hpsa_selinux_infra_src-<version>-<release>.noarch.rpm

    Where <version> is the version number of the RPM package and <release> is the release number.
    This RPM package contains the SELinux security source policy definition that can be used to rebuild the security policy if changes are required. The updated security policy can then be reloaded on the system.

Installing and uninstalling the SELinux security policy for SA Infrastructure

This topic provides information on installing SELinux security policy for SA Infrastructure.

Prerequisites

The following table lists the supported operating system and SA version for installing SELinux with SA Infrastructure.

Component Requirements
Supported operating system Red Hat Enterprise Linux 6 Server x86_64 GA-6.6
Supported SA version 10.5x

Important When installing the SELinux security policy for SA Infrastructure, SELinux should be either disabled or enabled in Permissive mode.

Installing the RPM package containing prebuilt SELinux security policy

Before installing the RPM package, ensure that you have:

  • Shut down SA services:

    /etc/init.d/opsware-sas stop

    /etc/init.d/opsware-oracle stop

  • Installed the following packages on your machine:

    • policycoreutils
    • selinux-policy
    • libselinux-utils
    • make (optional: required only if you want to extend the SELinux policies)

To install the RPM, run the following command:

rpm –ihv hpsa_selinux_infra-<version>-<release>.x86_64.rpm

Where <version> is the version number of the RPM package and <release> is the release number.

  • The hpsa_infra and hpsa_infra_custom folders containing list of permissions for the SA Infrastructure will be created at /var/opt/opsware/selinux.
  • If SELinux is enabled in Permissive mode, the installation will load the policy and perform SA files context relabeling.
  • If SELinux is disabled, you must manually relabel the SA files context by performing one of the following actions:

    • To relabel SA files, run the following command.

      sh /var/opt/opsware/selinux/hpsa_infra/operations.sh restorecon_files

      The time taken to relabel SA files is proportional to the number of SA files on the system. This operation does not require a reboot.

    To relabel the whole filesystem, run the following command.

    touch /.autorelabel

    The time taken to relabel is proportional to the size of the filesystem. This operation relabels all files at boot time, so you must reboot the system.

    Perform one of the following commands to reboot the system:

    • Restart the system by running the following command:

      shutdown –r now

    • Restart the system by calling the initsystem scripts:

      run_init /etc/init.d/opsware-oracle start

      run_init /etc/init.d/opsware-sas startsync

    You must reboot the system for proper function of the SA Infrastructure.

    Tip HPE recommends you to enable SELinux in the Permissive mode while installing the RPM package to avoid manual relabeling of the SA files.

Installing RPM package containing source policy

Before installing RPM package, ensure that you have:

  • Shut down SA services:

    /etc/init.d/opsware-sas stop

    /etc/init.d/opsware-oracle stop

  • Installed the following packages on your machine:
    • policycoreutils
    • selinux-policy
    • libselinux-utils
    • make

To install the RPM, run the following command:

rpm –ihv hpsa_selinux_infra_src-<version>-<release>.noarch.rpm

Where <version> is the version number of the RPM package and <release> is the release number.

The installation will create the /var/opt/opsware/selinux/hpsa_infra folder containing all the files needed to rebuild the policy. To rebuild the policy, run the following commands:

  1. Navigate to the hpsa_infra directory:

    cd /var/opt/opsware/selinux/hpsa_infra

  2. Rebuild the policy:

    make

  3. Load the policy and to perform SA files context relabeling.

    make install

  • If SELinux is enabled in the Permissive mode, the installation will load the policy and perform the relabeling of SA files context.
  • If SELinux is disabled, you must manually relabel SA files context by performing one of the following actions:

    • To relabel SA files, run the following command.

      sh /var/opt/opsware/selinux/hpsa_infra/operations.sh restorecon_files

      The time taken to relabel SA files is proportional to the number of SA files on the system. This operation does not require a reboot.

    • To relabel the whole filesystem, run the following command.

      touch /.autorelabel

      The time taken to relabel is proportional to the size of the filesystem. This operation relabels all files at boot time, so you must reboot the system.

      To make your changes visible by the SA environment, perform one the following actions:

      • Reboot the system: 

        /etc/init.d/opsware-sas stop
/etc/init.d/opsware-oracle stop
shutdown -r now

      • Call init system scripts and restart the SA Agent:

        run_init /etc/init.d/opsware-sas stop

        run_init /etc/init.d/opsware-sas startsync

  • You can view the additional commands by running the following command:

    /var/opt/opsware/selinux/hpsa_infra && make help

    Tip HPE recommends you to enable SELinux in permissive mode while installing the RPM package to avoid manual relabeling of the SA files.

Uninstalling the SELinux policy module for SA Infrastructure

The helper scripts within the RPM packages containing prebuilt policies will attempt to unload the prebuilt policies before uninstallation. Hence, to keep the prebuilt policies loaded, HPE recommends you to use the RPM packages containing the SELinux policy module sources. However, while uninstalling, the helper scripts in the RPM packages will attempt to remove the hpsa_infra_custom directory along with all its contents. So ensure that you back up all the changes made to the files before uninstallation.

Extending the security policy

Whenever a denial is encountered on a managed server, you can update the policy module and reload it. This iterative process can be repeated until you stop encountering denials.

The SELinux denial error messages are logged at /var/log/audit/audit.log.

Note In some cases, denials might be false and will not affect the functionality of the SA Infrastructure. Therefore, ensure that the functionality of the SA Infrastructure is truly blocked by SELinux before granting more permissions.

Prerequisites

  • Add additional permissions for /var/opt/opsware/selinux/hpsa_infra_custom/hpsa_infra_custom.te

  • Before reproducing the action that creates the denial message in the audit log folder, run the following command to enable verbose denial logging so that SELinux ignores the "dontaudit" statements in the various policies:

    semodule --disable_dontaudit –-build

    The SELinux management utility semodule rebuilds the SELinux policy, but ignores the "dontaudit" statements. The policy is then loaded in memory. Once you disable the "dontaudit" statements, all denials are logged.

  • Run the following command to re-enable the "dontaudit" statements by rebuilding the policy:

    semodule --build

Updating the policy module

  1. Run the following command to obtain the denial messages from the /var/log/audit/audit.log file:

    #> cat /var/log/audit/audit.log | grep denied | grep hpsa_infra

    For example, the following denial messages will be displayed after running the above command:

    type=AVC msg=audit(1453995272.565:1793): avc: denied { read open } for
pid=6737
comm="perl" name="ifconfig" dev=dm-0 ino=7602299
scontext=system_u:system_r:hpsa_infra_t:s0
tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file

type=AVC msg=audit(1453995272.565:1793): avc: denied { execute_no_trans } for
pid=6737
comm="perl" path="/sbin/ifconfig" dev=dm-0 ino=7602299
scontext=system_u:system_r:hpsa_infra_t:s0
tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file

  2. Feed the denials to the audit2allow utility for generating rules to create policies.

    #> cat /var/log/audit/audit.log | grep denied | grep hpsa | audit2allow -m hpsa_infra_custom

    For example, the following will be displayed as output:

    module hpsa__infra_custom 1.0;

require {
        type hpsa_infra_t;
        type ifconfig_exec_t;
        class file { read open execute_no_trans };
}

#============= hpsa_infra_t ==============
allow hpsa_infra_t ifconfig_exec_t:file { read open execute_no_trans };
  3. Perform one of the following actions:

    • If there are no other rules in the /var/opt/opsware/selinux/hpsa_infra_custom/hpsa_infra_custom.te file, place the output while omitting "module hpsa_infra_custom 1.0;" of audit2allow in the hpsa_infra_custom.te file.

      Note You can verify the version number of the SELinux by running the following command:

      semodule –l | grep hpsa_infra_custom

    • If there are rules present already in the hpsa_infra_custom.te file, you can append the new rules at the end of the file or integrate the new rules with the already existing rules.

      To integrate new rules with the already existing rules, perform the action as shown in the below example:

      Assume that you already have the following rules:

      require {
        type hpsa_infra_t;
        type ifconfig_exec_t;
        class file { read open execute_no_trans };
}

#============= hpsa_infra_t ==============
allow hpsa_infra_t ifconfig_exec_t:file { read open execute_no_trans };

      And, the following rule is generated by the audit2allow:

      require {
        type hpsa_infra_t;
        type ifconfig_exec_t;
        class file { execute };
}

#============= hpsa_infra_t ==============
allow hpsa_infra_t ifconfig_exec_t:file execute;

      Now, you can merge new rules with the old rules if they have same source and target contexts, and the same classes. The merged file is as shown below:

      require {
        type hpsa_infra_t;
        type ifconfig_exec_t;
        class file { read open execute_no_trans execute };
}

#============= hpsa_infra_t ==============
allow hpsa_infra_t ifconfig_exec_t:file { read open execute_no_trans execute };

  4. Build and reload the custom policy using the following commands:

    #> cd /var/opt/opsware/selinux/hpsa_infra_custom
#> make
#> make load_policy

  5. (Optional) Run the following command to rotate the audit.log file so that old denials are no longer displayed:

    #> make rotate_audit_log

Using SELinux in Enforcing mode

If you are enabling SELinux in the Enforcing more, perform the following to allow SA services to work as expected:

When running an SA command, precede the SA command with run_init command.

For example, the /etc/init.d/opsware-sas startsync command should be updated to:

run_init /etc/init.d/opsware-sas startsync

Note run_init will ask for the root password every time it is used.

HPE does not recommend to upgrade the SELinux policy modules by unloading the previous policies in the Enforcing mode. Upgrading SELinux policy modules in the Enforcing mode affects SA SELinux policy modules. You must overwrite the updated policy module with the previous policies.

For example:

cd /var/opt/opsware/selinux/hpsa_infra_custom

make show_version (get the current version if present)

[make changes to hpsa_infra_custom.te]

make

make load_policy

make show_version (get the modified version)

Send Help Center feedback