How do I enable SELinux on an NSP Flow Collector Controller?

Purpose

Perform this procedure to enable SELinux on a station that hosts:

  • only an NSP Flow Collector Controller

  • a collocated NSP Flow Collector Controller and Flow Collector

Note: You must enable permissive mode on the NSP Flow Collector Controller station before you can enable enforcing mode on the station.

Note: You require root user privileges on the NSP Flow Collector Controller station.

Note: A leading # character in a command line represents the root user prompt, and is not to be included in a typed command.

Steps
 

Log in as the root user on the NSP Flow Collector Controller station.

Open a console window.

Enter the following:

cd /opt/nsp/tools/selinux/tools/bin ↵

Check for required OS packages
 

Enter the following:

./selinuxenable.sh -c ↵

Any missing OS packages required by SELinux are listed.

If the message indicates that one or more required SELinux packages are not installed, enter the following:

dnf -y install package_1 package_2 ... package_n

where package_1 package_2 ... package_n are the names of the listed packages

The packages are installed.

Enable permissive mode
 

./selinuxenable.sh -p ↵

The SELinux mode is set to permissive.

Apply SELinux labels
 

Enter the following:

/opt/nsp/tools/selinux/installer/bin/nsp-selinux-config.bash ↵

The script loads the required AVC policy, fcc_nsp_domain.pp, and labels the files and directories named in the policy.

Enter the following to back up the system audit logs:

cp /var/log/audit/audit.log* backup_location

where backup_location is a secure location on a separate station

Enter the following to delete the system audit logs and thereby clear the SELinux AVC history:

rm -f /var/log/audit/audit.log* ↵

10 

Stop the NSP Flow Collector Controller.

Note: If the NSP Flow Collector Controller is collocated on a station with an NSP Flow Collector, stopping the NSP Flow Collector Controller also stops the Flow Collector.

  1. Enter the following to switch to the nsp user:

    su - nsp ↵

  2. Enter the following:

    bash$ /opt/nsp/flow/fcc/bin/flowCollectorController.bash stop ↵

    The NSP Flow Collector Controller stops.

  3. Enter the following to switch back to the root user:

    bash$ su - ↵

11 

Enter the following:

systemctl reboot ↵

The station reboots.

After the reboot, the SELinux labels take effect as SELinux runs in targeted permissive mode in the nsp_domain_t domain.

12 

After the reboot, enter the following to verify that the karaf processes are running in the nsp_domain_t domain:

ps -aefZ | grep karaf | grep -v grep ↵

Process entries like the following are listed:

system_u:system_r:nsp_domain_t:s0 process_description

13 

If any listed entry does not include nsp_domain_t, contact technical support for assistance.

14 

Enter the following to verify that the policy file is loaded.

semodule -l | egrep 'nsp' ↵

The policy file is listed, as shown below:

fcc_nsp_domain

15 

If the fcc_nsp_domain policy is not listed, contact technical support for assistance.

16 

Close the open console windows.

End of steps