What is SELinux?

Introduction

For greater system security, you can enable RHEL SELinux on NSP components. SELinux logs user operations in Application Visibility and Control, or AVC messages that are stored in local logs. SELInux has two modes, permissive and enforcing; the support for each is described in SELinux support scope.

See the RHEL documentation for comprehensive SELinux configuration and implementation information.

Note: The SELinux policies for the NSP product are to be applied only to the NSP product and the RHEL OS packages listed in the NSP Installation and Upgrade Guide. Any SELinux denials for other software packages are not the responsibility of Nokia.

SELinux permissive mode

No SELinux policy is enforced in permissive mode, and no operations are denied. However, SELinux does log AVC messages while in permissive mode. AVC messages may be of use for troubleshooting, debugging, and SELinux policy improvements. An AVC message is logged each time a violation occurs.

SELinux enforcing mode

In enforcing mode, SELinux enforces the policies specified in the NSP SELinux configuration, and logs AVC messages as required.

SELinux support scope

You can enable SELinux in enforcing mode on the following:

• NSP deployer host

• NSP cluster VMs

• NSP Flow Collectors and Flow Collector Controllers

• NSP analytics servers

• NFM-P main servers

• NFM-P main databases

• NFM-P auxiliary servers

SELinux is supported only in permissive mode on the following:

• auxiliary databases

SELinux troubleshooting

In the event that a system or component in SELinux enforcing mode has functional issues and an AVC is present, a change to permissive mode may resolve the issue. If enabling permissive mode resolves the issue, and the AVC is in the NSP domain, it is strongly recommended that you raise a support ticket to report the AVC.