How do I troubleshoot SELinux on NSP system components?
Purpose
Perform this procedure to list and resolve any open AVCs on one of the following:
Note: You require root user privileges on a station to switch SELinux modes.
Note: A leading # character in a command line represents the root user prompt, and is not to be included in a typed command.
Note: release-ID in a file path has the following format:
R.r.p-rel.version
where
R.r.p is the NSP release, in the form MAJOR.minor.patch
version is a numeric value
Steps
1 |
Log in as the root user on the station. | ||
2 |
Open a console window. | ||
3 |
Enter one of the following, depending on the NSP component type:
| ||
4 |
To switch from permissive to enforcing mode, enter the following: # ./setroubleshoot.bash collect-avcs ↵ The following messages are displayed: Generating RAW AVC file... + Total Number of distinct AVCs: n + Number of AVCS related to nsp_domain: n | ||
5 |
If the number of nsp_domain AVCs is zero, go to Step 9. | ||
6 |
Enter the following to generate an AVC list file: # ./setroubleshoot.bash resolve-nsp-avcs AVC_list ↵ where AVC_list is a name to assign to the generated file The following messages are displayed, and an AVC list file with a .te extension is created in the directory described in the messages: Generating RAW AVC file... nsp_domain_t AVCs present... generating te file Generated /path/AVC_list.te file IMPORTANT: The /path/tmp/policy/AVC_list/AVC_list.te file generated by this script must be reviewed by an experienced SELinux user before loading You must ensure that the /path/tmp/policy/AVC_list/AVC_list.te file does not include entries that may constitute a security risk to your system. | ||
7 |
The generated file must be reviewed by an experienced SELinux user before the file is loaded in a subsequent step, or system security may be seriously compromised. The reviewer must ensure that the file does not include any entry that may constitute a security risk to your system. Enlist an experienced SELinux user to review the AVC list file. | ||
8 |
If the review reveals any AVCs that need to be included in the generic NSP SELinux policy, perform the following steps.
| ||
9 |
Close the console window. End of steps |