What is SELinux?

Introduction

For greater system security, you can enable RHEL SELinux on NSP components. SELinux logs user operations in Application Visibility and Control, or AVC messages that are stored in local logs. SELinux has two modes, permissive and enforcing; the support for each is described in SELinux support scope.

See the RHEL documentation for comprehensive SELinux configuration and implementation information.

Note: The SELinux policies for the NSP product are to be applied only to the NSP product and the RHEL OS packages listed in the NSP Installation and Upgrade Guide. Any SELinux denials for other software packages are not the responsibility of Nokia.

SELinux permissive mode

No SELinux policy is enforced in permissive mode, and no operations are denied. However, SELinux does log AVC messages while in permissive mode. AVC messages may be of use for troubleshooting, debugging, and SELinux policy improvements. An AVC message is logged each time a violation occurs.

SELinux enforcing mode

In enforcing mode, SELinux enforces the policies specified in the NSP SELinux configuration, and logs AVC messages as required.

SELinux support scope

The procedures in this section describe enabling SELinux on the following:

• NSP deployer host

• NSP cluster VM

• NSP Flow Collector

• NSP Flow Collector Controller

Note: An NSP auxiliary database supports SELinux only in permissive mode, which is enabled by default.

SELinux for Classic Management describes enabling SELinux on the following, which support SELinux enforcing mode:

• NFM-P main server

• NFM-P main database

• NFM-P auxiliary server