How do I troubleshoot SELinux on the NFM-P?
Purpose
Perform this procedure if SELinux enforcing mode is enabled and you suspect that SELinux is affecting NFM-P operation.
Note: The procedure applies only to the NFM-P components that support SELinux enforcing mode, as listed in SELinux support scope.
Note: You must perform the procedure on each NFM-P station that has SELinux enforcing mode enabled.
Note: You require root user privileges on each station.
Note: A leading # character in a command line represents the root user prompt, and is not to be included in a typed command.
Steps
1 |
Log in as the root user on the standalone or primary NFM-P main server station. | ||
2 |
Open a console window. | ||
3 |
Enter the following: # cd /opt/nsp/nfmp/config/selinux/tools/bin ↵ | ||
4 |
Switch to SELinux permissive mode. Note: The NFM-P main server can remain running during the switch from enforcing to permissive mode.
| ||
5 |
Enter the following to list all system and NSP-domain AVCs: # ./setroubleshoot.bash collect-avcs ↵ The AVCs are listed. | ||
6 |
If the command returns any NSP-domain AVCs, enter the following: # ./setroubleshoot.bash resolve-nsp-avcs my_policy ↵ where my_policy is a file name other than nsp_domain that does not include ‘module’ A policy module file with a .te extension is created in /opt/nsp/nfmp/config/selinux/tools/bin/tmp/policy. | ||
7 |
The policy module file generated in Step 6 must be reviewed by an experienced SELinux user before the file is loaded in a subsequent step, or system security may be seriously compromised. The reviewer must ensure that the file does not include any entry that may constitute a security risk to your system. Ensure that the generated policy module file passes a security review.
Note: If the review reveals any AVC issues, you must not proceed to the next step until the AVC issues are resolved. | ||
8 |
Enter the following: # cd /opt/nsp/nfmp/config/selinux/tools/bin/tmp/policy ↵ | ||
9 |
Enter the following to create the required policy file: # make ↵ A policy file with a .pp extension is created in the current directory. | ||
10 |
Enter the following to load the policy file: # semodule -i policy.pp ↵ where policy is the name of the policy file generated in Step 9 | ||
11 |
Close the console window. End of steps |