How do I enable SELinux on the NFM-P?

Purpose
CAUTION 

CAUTION

Service Disruption

Enabling SELinux in a standalone or redundant NFM-P system creates a network management outage. A standalone system requires a full shutdown and restart; a redundant system requires one or more server activity switches that each may cause a brief service interruption.

Perform the procedure only during a scheduled maintenance period of sufficient duration with the guidance of technical support.

Perform this procedure to enable SELinux on the components of an NFM-P system. You must perform the procedure on each main server, main database, and auxiliary database station.

Note: You must enable permissive mode on each component before you can enable enforcing mode on the components.

Note: You require the following user privileges:

  • on each main and auxiliary server station — root, nsp

  • on each main database station — root

Note: The following RHEL CLI prompts in command lines denote the active user, and are not to be included in typed commands:

  • # —root user

  • bash$ —nsp user

Steps
Check for required OS packages
 

Before you can enable SELinux on a station, you must ensure that the required RHEL OS packages are installed.

Perform the following steps on each main server, main database, and auxiliary server station.

  1. Log in to the station as the root user.

  2. Open a console window.

  3. Enter the following:

    /opt/nsp/nfmp/config/selinux/tools/bin/selinuxenable.sh -c ↵

    A status message is displayed.

  4. If the message indicates that one or more required SELinux packages are not installed, enter the following:

    dnf -y install policycoreutils setools-console libselinux-devel setroubleshoot-server selinux-policy-devel selinux-policy-doc ↵

    The packages are installed.


Close client sessions
 

Close the open GUI and XML API client sessions, as required.

  1. Open a GUI client using an account with security management privileges, such as admin.

  2. Choose Administration→Security→NFM-P User Security from the main menu. The NFM-P User Security - Security Management (Edit) form opens.

  3. Click on the Sessions tab.

  4. Click Search. The form lists the open GUI and XML API client sessions.

  5. Identify the GUI session that you are using based on the value in the Client IP column.

  6. Select all sessions except for the following:

    • the session that you are using

    • the sessions required to monitor the network during a redundant system upgrade

  7. Click Close Session.

  8. Click Yes to confirm the action.

  9. Click Search to refresh the list and verify that only the required sessions are open.

  10. Close the NFM-P User Security - Security Management (Edit) form.

  11. Close your GUI client.

  12. Sign out of the NSP UI, if you are signed in.


If the NFM-P system is standalone:

  1. Perform Step 5 to Step 10 on the main server, main database, and auxiliary server.

  2. Go to Step 13.


If the NFM-P system is redundant:

  1. Perform Step 5 to Step 12 on the standby server complex.

    After this step, the initial standby server complex is the new primary complex.

  2. Perform Step 5 to Step 10 on the initial primary server complex, which is the new standby server complex.

  3. If you want to restore the initial primary and standby roles of the server complexes, go to Step 11. Otherwise, go to Step 13.


Stop system components
 

Stop the main server.

  1. Log in to the main server station as the nsp user.

  2. Open a console window.

  3. Enter the following:

    bash$ cd /opt/nsp/nfmp/server/nms/bin ↵

  4. Enter the following:

    bash$ ./nmsserver.bash stop ↵

  5. Enter the following:

    bash$ ./nmsserver.bash appserver_status ↵

    The server status is displayed; the server is fully stopped if the status is the following:

    Application Server is stopped

    If the server is not fully stopped, wait five minutes and then repeat this step. Do not perform the next step until the server is fully stopped.

  6. Enter the following to switch to the root user:

    bash$ su - ↵

  7. If the NFM-P system is not part of a shared-mode NSP deployment, enter the following:

    systemctl stop nspos-nspd.service ↵


Stop the Oracle proxy and database services.

  1. Log in to the database station as the root user.

  2. Open a console window.

  3. Enter the following to stop the Oracle proxy:

    systemctl stop nfmp-oracle-proxy.service ↵

  4. Enter the following to stop the main database:

    systemctl stop nfmp-main-db.service ↵


If the system includes one or more auxiliary servers, stop each auxiliary server.

  1. Log in to the auxiliary server station as the nsp user.

  2. Open a console window.

  3. Enter the following:

    bash$ /opt/nsp/nfmp/auxserver/nms/bin/auxnmsserver.bash auxstop ↵

    The auxiliary server stops.


Enable SELinux on components
 

Enter the following as the root user on each main server, main database, and auxiliary server station:

/opt/nsp/nfmp/config/selinux/tools/bin/selinuxenable.sh -p ↵


Apply SELinux labels and reboot
 

Perform the following steps as the root user on each main server, main database, and auxiliary server station.

  1. Enter the following:

    /opt/nsp/nfmp/config/selinux/installer/bin/nsp-selinux-config.bash ↵

  2. Enter the following to back up all system audit logs:

    cp /var/log/audit/audit.log* backup_location

    where backup_location is a secure location on a station outside the NFM-P deployment

  3. Enter the following to delete the system audit logs and thereby clear the SELinux AVC history:

    rm -f /var/log/audit/audit.log* ↵

  4. Enter the following:

    systemctl reboot ↵

    The station reboots.

    After the reboot, the SELinux labels take effect as SELinux runs in targeted permissive mode in the nsp_domain_t domain.


Verify system startup
 
10 

After each station is rebooted, verify that the main server, main database, and auxiliary servers are operational.

Note: If any command in a substep indicates that the component is not yet operational, wait one minute and then re-issue the command.

  1. Enter the following as the root user on the main database station:

    systemctl status nfmp-main-db.service ↵

    If the command output includes the following, the database is operational:

    Active: active (running) since time

  2. Enter the following as the root user on the main database station:

    systemctl status nfmp-oracle-proxy.service ↵

    If the command output includes the following, the database proxy is operational:

    Active: active (running) since time

  3. Enter the following as the nsp user on the main server station:

    bash$ ./nmsserver.bash appserver_status ↵

    If the command output includes the following, the main server is operational:

    Application Server process is running.  See nms_status for more detail.

  4. On each auxiliary server station, enter the following as the nsp user:

    bash$ ./auxnmsserver.bash auxappserver_status ↵

    If the command output includes the following, the auxiliary server is operational:

    Auxiliary Server process is running.  See auxnms_status for more detail.


Switch redundancy roles
 
11 

If automatic database realignment is not enabled, perform a database switchover.

  1. As the nsp user on the main server station, enter the following:

    bash$ /opt/nsp/nfmp/server/nms/bin/switchoverdb.bash -u username -p password

    where username and password are the login credentials of an NFM-P user with the required privilege level and scope of command

    The script displays the following confirmation message:

    The standby database will become the new primary database, and the old primary will become the new standby. Do you want to proceed? (YES/no) :

  2. Enter the following to initiate the switchover:

    YES ↵

    The NFM-P server initiates a database switchover. Progress is indicated by a rolling display of dots in the console window. The database switchover is complete when the CLI prompt reappears.


12 

Enter the following to perform a server activity switch:

bash$ /opt/nsp/nfmp/server/nms/bin/nmsserver.bash force_restart ↵

The server activity switch begins. The standby main server restarts as the primary main server, and the primary restarts as the standby.


13 

Close the open console windows.

End of steps