Administer > SA Core and component security > SELinux security policy > SELinux security policy for Agent

SELinux security policy for SA Agent

This section provides information about downloading, installing, and the extending SELinux security policy for the SA Agent.

Downloading the installer

  • For SA 10.5x, the SELinux RPM packages are bundled with the Server Automation installer at <mount_point>-primary/disk001/packages/Linux/6SERVER-X86_64/
  • For SA 10.2x, the SELinux RPM packages are available at HPELN.

The installation media is distributed as the following RPM packages:

  • hpsa_selinux_agent-<version>-<release>.x86_64.rpm

    Where <version> is the version number of the RPM package and <release> is the release number.
    This RPM package contains the prebuilt SELinux security policy module that needs to be loaded after the SA Agent installation.

  • hpsa_selinux_agent_src-<version>-<release>.noarch.rpm

    Where <version> is the version number of the RPM package and <release> is the release number.
    This RPM package contains the SELinux security source policy definition that can be used to rebuild the security policy if changes are required. The updated security policy can then be reloaded on the system.

Installing and uninstalling the SELinux security policy for SA Agent

This topic provides information on installing SELinux security policy for SA Agent.

Prerequisites

The following table lists the supported operating system and SA version for installing SELinux with SA Agent.

Component Requirements
Supported operating system Red Hat Enterprise Linux 6 Server x86_64 GA-6.6
Supported SA version 10.2x, 10.5x

Important When installing the SELinux security policy for SA Agent, SELinux should be either disabled or enabled in Permissive mode.

Installing the RPM package containing prebuilt SELinux security policy

Before installing the RPM package, ensure that you have installed the SA Agent and the following packages on your machine:

  • policycoreutils
  • selinux-policy
  • libselinux-utils

  • make (optional: required only if you want to extend the SELinux policies)

To install the RPM, run the following command:

rpm –ihv hpsa_selinux_agent-<version>-<release>.x86_64.rpm

Where <version> is the version number of the RPM package and <release> is the release number.

  • The hpsa_agent and hpsa_agent_custom folders containing list of permissions for the SA Agent will be created at /var/opt/opsware/selinux.
  • If SELinux is enabled in Permissive mode, the installation will load the policy and perform SA files context relabeling.
  • If SELinux is disabled, you must manually relabel the SA files context by performing one of the following actions:

    • To relabel SA files, run the following command.

      sh /var/opt/opsware/selinux/hpsa_agent/operations.sh restorecon_files

      The time taken to relabel SA files is proportional to the number of SA files on the system. This operation does not require a reboot.

    • To relabel the whole filesystem, run the following command.

      touch /.autorelabel

      The time taken to relabel is proportional to the size of the filesystem. This operation relabels all files at boot time, so you must reboot the system.

      shutdown -r now

      Note You must reboot the system for proper function of the SA Agent.

      Tip HPE recommends you to enable SELinux in the Permissive mode while installing the RPM package to avoid manual relabeling of the SA files.

Installing the RPM package containing source policy

Before installing the RPM package, ensure that you have installed the SA Agent and the following packages on your machine:

  • policycoreutils
  • selinux-policy
  • libselinux-utils
  • make

To install the RPM, run the following command:

rpm –ihv hpsa_selinux_agent_src-<version>-<release>.noarch.rpm

Where <version> is the version number of the RPM package and <release> is the release number.

The installation will create the /var/opt/opsware/selinux/hpsa_agent folder containing all the files needed to rebuild the policy. To rebuild the policy, run the following commands:

  1. Navigate to the hpsa_agent directory:

    cd /var/opt/opsware/selinux/hpsa_agent

  2. Rebuild the policy:

    make

  3. Load the policy and to perform SA files context relabeling.

    make install

  • If SELinux is enabled in the Permissive mode, the installation will load the policy and perform the relabeling of SA files context.
  • If SELinux is disabled, you must manually relabel SA files context by performing one of the following actions:

    • To relabel SA files, run the following command.

      sh /var/opt/opsware/selinux/hpsa_agent/operations.sh restorecon_files

      The time taken to relabel SA files is proportional to the number of SA files on the system. This operation does not require a reboot.

    • To relabel the whole filesystem, run the following command.

      touch /.autorelabel

      The time taken to relabel is proportional to the size of the filesystem. This operation relabels all files at boot time, so you must reboot the system.

      To make your changes visible by the SA Agent, perform one the following actions:

      • Reboot the system:
        shutdown -r now

      • Call init system scripts and restart the SA Agent:

        run_init /etc/init.d/opsware-agent stop

        run_init /etc/init.d/opsware-agent startsync

  • You can view the additional commands by running the following command:

    cd /var/opt/opsware/selinux/hpsa_agent && make help

    Tip HPE recommends you to enable SELinux in permissive mode while installing the RPM package to avoid manual relabeling of the SA files.

Uninstalling the SELinux policy module for SA Agent

The helper scripts containing prebuilt policies will attempt to unload prebuilt policies before uninstallation. Hence, to keep the prebuilt policies loaded, HPE recommends you to use the RPM packages containing the SELinux policy module sources. However, while uninstalling, the helper scripts in the RPMs will attempt to remove the hpsa_agent_custom directory along with all its contents. So ensure that you back up all the changes made to the files before uninstallation.

Extending the security policy

Whenever a denial is encountered on a managed server, you can update the policy module and reload it. This iterative process can be repeated until you stop encountering denials.

The SELinux denial error messages are logged at /var/log/audit/audit.log.

Note In some cases, denials might be misleading and will not affect the functionality of the SA Agent. Therefore, ensure that the functionality of the SA Agent is truly blocked by SELinux before granting more permissions.

Prerequisites

  • Add additional permissions for /var/opt/opsware/selinux/hpsa_agent_custom/hpsa_agent_custom.te

  • Before reproducing the action that creates the denial message in the audit log folder, run the following command to enable verbose denial logging so that SELinux ignores the "dontaudit" statements in the various policies:

    semodule --disable_dontaudit –-build

    The SELinux management utility semodule rebuilds the SELinux policy, but ignores the "dontaudit" statements. The policy is then loaded in memory. Once you disable the "dontaudit" statements, all denials are logged.

  • Run the following command to re-enable the "dontaudit" statements by rebuilding the policy:

    semodule --build

Updating the policy module

  1. Run the following command to obtain the denial messages from the /var/log/audit/audit.log file:

    #> cat /var/log/audit/audit.log | grep denied | grep hpsa_agent

    For example, the following denial messages will be displayed after running the above command:

    type=AVC msg=audit(1438000512.869:93): avc: denied { getattr } for pid=2682 
comm="updatedb" path="/opt/opsware/agent" dev=dm-0 ino=1317476 
scontext=system_u:system_r:locate_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:hpsa_agent_t:s0 tclass=dir

type=AVC msg=audit(1438000512.871:94): avc: denied { search } for pid=2682 
    comm="updatedb" name="agent" dev=dm-0 ino=1317476 
    scontext=system_u:system_r:locate_t:s0-s0:c0.c1023 
    tcontext=system_u:object_r:hpsa_agent_t:s0 tclass=dir    

type=AVC msg=audit(1438000512.871:95): avc: denied { read } for pid=2682 
comm="updatedb" name="agent" dev=dm-0 ino=1317476 
scontext=system_u:system_r:locate_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:hpsa_agent_t:s0 tclass=dir

type=AVC msg=audit(1438000512.871:95): avc: denied { open } for pid=2682 
comm="updatedb" name="agent" dev=dm-0 ino=1317476 
scontext=system_u:system_r:locate_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:hpsa_agent_t:s0 tclass=dir

  2. Feed the denials to the audit2allow utility for generating rules to create policies.

    #> cat /var/log/audit/audit.log | grep denied | grep agent | audit2allow -m hpsa_agent_custom

    For example, the following will be displayed as output:

    module hpsa_agent_custom 1.0;

require {
	type locate_t;
	type hpsa_agent_t;
	class dir { read getattr open search };
}
allow locate_t hpsa_agent_t:dir { read getattr open search };
  3. Perform one of the following actions:

    • If there are no other rules in the /var/opt/opsware/selinux/hpsa_agent_custom/hpsa_agent_custom.te file, place the output while omitting "module hpsa_agent_custom 1.0;" of audit2allow in the hpsa_agent_custom.te file.

      Note You can verify the version number of the SELinux by running the following command:

      semodule –l | grep hpsa_agent_custom

    • If there are rules present already in the hpsa_agent_custom.te file, you can append the new rules at the end of the file or integrate the new rules with the already existing rules.

      To integrate new rules with the already existing rules, perform the action as shown in the below example:

      Assume that you already have the following rules:

      require {
	type locate_t;
	type hpsa_agent_t;
	class dir { read getattr open search };
}
allow locate_t hpsa_agent_t:dir { read getattr open search };

      And, the following rule is generated by the audit2allow:

      require {
		type locate_t;
		type hpsa_agent_t;
		class dir { rename };
	}
	allow locate_t hpsa_agent_t:dir rename;

      Now, you can merge new rules with the old rules if they have same source and target contexts, and the same classes. The merged file is as shown below:

      require {
	type locate_t;
	type hpsa_agent_t;
	class dir { read getattr open search rename };
}
allow locate_t hpsa_agent_t:dir { read getattr open search rename };

  4. Build and reload the custom policy using the following commands:

    #> cd /var/opt/opsware/selinux/hpsa_agent_custom
#> make
#> make load_policy

  5. (Optional) Run the following command to rotate the audit.log file so that old denials are no longer displayed:

    #> make rotate_audit_log

Using SELinux in Enforcing mode

If you are enabling SELinux in the Enforcing more, perform the following to allow SA services to work as expected:

When running an SA command, precede the SA command with run_init command.

For example, the /etc/init.d/opsware-agent startsync command should be updated to:

run_init /etc/init.d/opsware-agent startsync

Note run_init will ask for the root password every time it is used.

HPE does not recommend to upgrade the SELinux policy modules by unloading the previous policies in the Enforcing mode. Upgrading SELinux policy modules in the Enforcing mode affects SA SELinux policy modules. You must overwrite the updated policy module with the previous policies.

For example:

cd /var/opt/opsware/selinux/hpsa_agent_custom

make show_version (get the current version if present)

[make changes to hpsa_agent_custom.te]

make

make load_policy

make show_version (get the modified version)

Send Help Center feedback