How do I enable SELinux enforcing mode for the NFM-P?
Purpose
CAUTION Potential Security Risk |
Enabling SELinux enforcing mode when any AVCs remain unresolved may pose a security risk.
Before you attempt to enable enforcing mode, you must resolve any AVCs associated with the nsp_domain_t domain that are raised during a soak period in permissive mode.
It is strongly recommended that the system run in permissive mode for at least seven days with no nsp_domain_t AVCs on any NFM-P main server, main database, or auxiliary server.
Perform this procedure to enable SELinux enforcing mode in an NFM-P system.
Note: You must perform the procedure on each component that supports SELinux enforcing mode, as listed in SELinux support scope.
Note: You must enable permissive mode on each component, as described in How do I enable SELinux on the NFM-P?, before you can enable enforcing mode on the components.
Note: You do not need to stop any NFM-P processes in order to switch from permissive to enforcing mode.
Note: You require root user privileges on each station.
Note: A leading # character in a command line represents the root user prompt, and is not to be included in a typed command.
Steps
1 |
Log in to the component station as the root user. | ||
2 |
Open a console window. | ||
3 |
Enter the following: # cd /opt/nsp/nfmp/config/selinux/tools/bin ↵ | ||
4 |
Enter the following to show the number of system and NSP-domain AVCs: # ./setroubleshoot.bash collect-avcs ↵ The following messages are displayed: Generating RAW AVC file... + Total Number of distinct AVCs: n + Number of AVCS related to nsp_domain: n | ||
5 |
If the command returns any NSP-domain AVCs, enter the following: # ./setroubleshoot.bash resolve-nsp-avcs my_policy ↵ where my_policy is a file name other than nsp_domain that does not include ‘module’ A policy module file with a .te extension is created in /opt/nsp/nfmp/config/selinux/tools/bin/tmp/policy. | ||
6 |
The policy module file generated in Step 5 must be reviewed by an experienced SELinux user before the file is loaded in a subsequent step, or system security may be seriously compromised. The reviewer must ensure that the file does not include any entry that may constitute a security risk to your system. Ensure that the generated policy module file passes a security review.
Note: If the review reveals any AVC issues, you must not proceed to the next step until the AVC issues are resolved. | ||
7 |
Enter the following: # cd /opt/nsp/nfmp/config/selinux/tools/bin/tmp/policy ↵ | ||
8 |
Enable enforcing mode. SELinux is enabled in enforcing mode. | ||
9 |
Enter the following: # getenforce ↵ The SELinux mode is displayed. | ||
10 |
View the command output to verify that SELinux is enabled in enforcing mode. | ||
11 |
Close the console window. End of steps |