How do I troubleshoot SELinux on NSP system components?

Purpose

Perform this procedure to list and resolve any open AVCs on one of the following:

  • NSP deployer host

  • NSP cluster nodes

  • NSP Flow Collector Controller

  • NSP Flow Collector

  • NSP auxiliary database

Note: You require root user privileges on a station to switch SELinux modes.

Note: A leading # character in a command line represents the root user prompt, and is not to be included in a typed command.

Note: release-ID in a file path has the following format:

R.r.p-rel.version

where

R.r.p is the NSP release, in the form MAJOR.minor.patch

version is a numeric value

Steps
 

Log in as the root user on the station.

Open a console window.

Enter one of the following, depending on the NSP component type:

  1. NSP deployer host:

    cd /opt/nsp/nsp-k8s-deployer-release-ID/tools/selinux/tools/bin ↵

  2. NSP cluster node:

    cd /opt/nsp/nsp-deployer/tools/selinux/tools/bin ↵

  3. NSP Flow Collector Controller, Flow Collector, or auxiliary database:

    cd /opt/nsp/tools/selinux/tools/bin ↵

To switch from permissive to enforcing mode, enter the following:

./setroubleshoot.bash collect-avcs ↵

The following messages are displayed:

Generating RAW AVC file...

+ Total Number of distinct AVCs: n

    + Number of AVCS related to nsp_domain: n

If the number of nsp_domain AVCs is zero, go to Step 9.

Enter the following to generate an AVC list file:

./setroubleshoot.bash resolve-nsp-avcs AVC_list

where AVC_list is a name to assign to the generated file

The following messages are displayed, and an AVC list file with a .te extension is created in the directory described in the messages:

Generating RAW AVC file...

nsp_domain_t AVCs present... generating te file

Generated /path/AVC_list.te file

IMPORTANT: The /path/tmp/policy/AVC_list/AVC_list.te file generated by this script must be reviewed by an experienced SELinux user before loading

You must ensure that the /path/tmp/policy/AVC_list/AVC_list.te file does not include entries that may constitute a security risk to your system.
WARNING 

WARNING

Extreme Security Risk

The generated file must be reviewed by an experienced SELinux user before the file is loaded in a subsequent step, or system security may be seriously compromised.

The reviewer must ensure that the file does not include any entry that may constitute a security risk to your system.

Enlist an experienced SELinux user to review the AVC list file.

If the review reveals any AVCs that need to be included in the generic NSP SELinux policy, perform the following steps.

  1. Enter the following to capture the local SELinux log files for further analysis by Nokia:

    ./cgselinuxlogs ↵

    Messages like the following are displayed:

    Creating log file... /path/selinux

    Deleting previous generated selinux logs in /path/selinux

    Running selinux_capture_logs.sh, please wait (have patience..).

    ...

    Log files going to directory /path/selinux

    .

    .

    .

    Provide the following to Nokia for review: /tmp/nspselinux/selinuxLogsselinux-station_descriptor-timestamp.tar.gz

  2. Direct the SELinux user to make note of the generated file in the event that the policy requires modification in the future.

    Note: Maintenance of the policy is the responsibility of the SELinux user.

  3. Direct the SELinux user to open a Nokia support ticket that includes the generated /tmp/nspselinux/selinuxLogsselinux-station_descriptor-timestamp.tar.gz file.

Close the console window.

End of steps