How do I enable SELinux enforcing mode for the NFM-P?

Purpose

CAUTION

Potential Security Risk

Enabling SELinux enforcing mode when any AVCs remain unresolved may pose a security risk.

Before you attempt to enable enforcing mode, you must resolve any AVCs associated with the nsp_domain_t domain that are raised during a soak period in permissive mode.

It is strongly recommended that the system run in permissive mode for at least seven days with no nsp_domain_t AVCs on any NFM-P main server, main database, or auxiliary server.

Perform this procedure to enable SELinux enforcing mode in an NFM-P system.

Note: You must perform the procedure on each component that supports SELinux enforcing mode, as listed in SELinux support scope.

Note: You must enable permissive mode on each component, as described in How do I enable SELinux on the NFM-P?, before you can enable enforcing mode on the components.

Note: You do not need to stop any NFM-P processes in order to switch from permissive to enforcing mode.

Note: You require root user privileges on each station.

Note: A leading # character in a command line represents the root user prompt, and is not to be included in a typed command.

Steps

Open a console window.

Enter the following:

# cd /opt/nsp/nfmp/config/selinux/tools/bin ↵

Enter the following to list all system and NSP-domain AVCs:

# ./setroubleshoot.bash collect-avcs ↵

The AVCs are listed.

If the command returns any NSP-domain AVCs, enter the following:

# ./ resolve-nsp-avcs my_policy ↵

where my_policy is a file name other than nsp_domain that does not include ‘module’

A policy module file with a .te extension is created in /opt/nsp/nfmp/config/selinux/tools/bin/tmp/policy.

WARNING

Extreme Security Risk

The policy module file generated in Step 5 must be reviewed by an experienced SELinux user before the file is loaded in a subsequent step, or system security may be seriously compromised.

The reviewer must ensure that the file does not include any entry that may constitute a security risk to your system.

Ensure that the generated policy module file passes a security review.

Enlist an experienced SELinux user to review the policy module file.
If the review reveals any AVCs that need to be included in the generic NSP SELinux policy, the reviewer must open a support ticket and include the SELinux logs data generated by running the following script:

/opt/nsp/nfmp/config/selinux/tools/bin/cgselinuxlogs.sh
Make note of the policy created in Step 5 in the event that the experienced SELinux user needs to modify or remove the policy in the future. Maintenance of the policy is the responsibility of the SELinux user.

Note: If the review reveals any AVC issues, you must not proceed to the next step until the AVC issues are resolved.

Enter the following:

# cd /opt/nsp/nfmp/config/selinux/tools/bin/tmp/policy ↵

Enter the following to create the required policy file:

# make ↵

A policy file with a .pp extension is created in the current directory.

Enter the following to load the policy file:

# semodule -i policy.pp ↵

where policy is the name of the policy file generated in Step 8

Enable enforcing mode.

Enter the following:

# cd /opt/nsp/nfmp/config/selinux/tools/bin ↵
# ./selinuxenable.sh -e ↵

SELinux is enabled in enforcing mode.

Enter the following:

# getenforce ↵

The SELinux mode is displayed.

View the command output to verify that SELinux is enabled in enforcing mode.

Close the console window.

End of steps