How do I enable SELinux in an NSP cluster?

Purpose

Perform this procedure to enable SELinux on the member nodes of an NSP cluster.

Note: You must enable permissive mode on all NSP cluster nodes before you can enable enforcing mode on the nodes.

Note: You require root user privileges on each NSP cluster node.

Note: A leading # character in a command line represents the root user prompt, and is not to be included in a typed command.

Steps
 

Perform Step 3 to Step 11 on each node in the NSP cluster.


Go to Step 12.


Individual node configuration
 

Log in as the root user on the NSP cluster node.


Open a console window.


Enter the following:

cd /opt/nsp/nsp-deployer/tools/selinux/tools/bin ↵


Check for required OS packages
 

Enter the following:

./selinuxenable.sh -c ↵

Any missing OS packages required by SELinux are listed.


If the message indicates that one or more required SELinux packages are not installed, enter the following:

dnf -y install package_1 package_2 ... package_n

where package_1 package_2 ... package_n are the names of the listed packages

The packages are installed.


Enable permissive mode
 

./selinuxenable.sh -p ↵

The SELinux mode is set to permissive.


Apply SELinux labels
 

Enter the following:

/opt/nsp/nsp-deployer/tools/selinux/installer/bin/nsp-selinux-config.bash ↵

The script loads the required AVC policy, k8s_nsp_domain.pp, and labels the files and directories named in the policy.


10 

Enter the following to back up the system audit logs:

cp /var/log/audit/audit.log* backup_location

where backup_location is a secure location on a separate station


11 

Enter the following to delete the system audit logs and thereby clear the SELinux AVC history:

rm -f /var/log/audit/audit.log* ↵


Restart NSP cluster
 
12 

Perform How do I stop an NSP cluster? to gracefully shut down the NSP cluster and preserve the cluster data.


13 

Enter the following:

systemctl reboot ↵

The node reboots.

After the reboot, the SELinux labels take effect as SELinux runs in targeted permissive mode in the nsp_domain_t domain.


14 

After the reboot, enter the following to verify that the required processes are running in the nsp_domain_t domain:

ps -aefZ | egrep 'kube-apiserver | kube-scheduler | kube-controller-manager | /usr/local/bin/etcd | /usr/local/bin/kube-proxy | /usr/local/bin/kubelet|/kube-state-metrics | /usr/bin/kube-controllers' | egrep -v 'grep' ↵

Process entries like the following are listed:

system_u:system_r:nsp_domain_t:s0 process_description


15 

If any listed entry does not include nsp_domain_t, contact technical support for assistance.


16 

Enter the following to verify that the policy file is loaded.

semodule -l | grep k8s_nsp_domain ↵

The policy file is listed, as shown below:

k8s_nsp_domain


17 

Start the NSP cluster; perform How do I start an NSP cluster?.


18 

Close the open console windows.

End of steps