|
|
1 |
Log in as the root or NSP admin user on the NSP deployer host.
|
2 |
Open a console window.
|
3 |
Enter the following:
# cd /opt/nsp/nsp-k8s-deployer-release-ID/tools/selinux/tools/bin ↵
|
Check for required OS packages
|
|
|
4 |
Enter the following:
# ./selinuxenable.sh -c ↵
Any missing OS packages required by SELinux are listed.
|
5 |
If the message indicates that one or more required SELinux packages are not installed, enter the following:
# dnf -y install package_1 package_2 ... package_n ↵
where package_1 package_2 ... package_n are the names of the listed packages
The packages are installed.
|
Enable permissive mode
|
|
|
6 |
# ./selinuxenable.sh -p ↵
The SELinux mode is set to permissive.
|
Apply SELinux labels
|
|
|
7 |
Enter the following:
# cd /opt/nsp/nsp-k8s-deployer-release-ID/tools ↵
|
8 |
Enter the following:
# selinux/installer/bin/nsp-selinux-config.bash ↵
The script loads the required AVC policy, k3s_nsp_domain.pp, and labels the files and directories named in the policy.
|
9 |
Enter the following to back up the system audit logs:
# cp /var/log/audit/audit.log* backup_location ↵
where backup_location is a secure location on a separate station
|
10 |
Enter the following to delete the system audit logs and thereby clear the SELinux AVC history:
# rm -f /var/log/audit/audit.log* ↵
|
11 |
Enter the following:
# systemctl reboot ↵
The station reboots.
After the reboot, the SELinux labels take effect as SELinux runs in targeted permissive mode in the nsp_domain_t domain.
|
12 |
After the reboot, enter the following to verify that the required processes are running in the nsp_domain_t domain:
# ps -aefZ | grep -v grep | egrep 'k3s|harbor|traefik|coredns|provisioner|registry'↵
Process entries like the following are listed:
system_u:system_r:nsp_domain_t:s0 process_description
|
13 |
If any listed entry does not include nsp_domain_t, contact technical support for assistance.
|
14 |
Enter the following to verify that the policy file is loaded.
# semodule -l | grep k3s_nsp_domain ↵
The policy file is listed, as shown below:
k3s_nsp_domain
|
15 |
If the k3s_nsp_domain policy is not listed, contact technical support for assistance.
|
16 |
Close the open console windows.
End of steps |