What is SELinux?

Introduction

For greater system security, you can enable RHEL SELinux on NSP components. SELinux logs user operations in Application Visibility and Control, or AVC messages that are stored in local logs. SELinux has two modes, permissive and enforcing; the support for each is described in SELinux support scope.

See the RHEL documentation for comprehensive SELinux configuration and implementation information.

Note: The SELinux policies for the NSP product are to be applied only to the NSP product and the RHEL OS packages listed in the NSP Installation and Upgrade Guide. Any SELinux denials for other software packages are not the responsibility of Nokia.

SELinux permissive mode

No SELinux policy is enforced in permissive mode, and no operations are denied. However, SELinux does log AVC messages while in permissive mode. AVC messages may be of use for troubleshooting, debugging, and SELinux policy improvements. An AVC message is logged each time a violation occurs.

SELinux enforcing mode

In enforcing mode, SELinux enforces the policies specified in the NSP SELinux configuration, and logs AVC messages as required.

Restricted root-user access

If restricted root-user access is enabled, each SELinux command in the following procedures must be run by the NSP admin user and prefaced with ‘sudo’.

SELinux support scope

The procedures in this section describe enabling SELinux on the following:

Note: An NSP auxiliary database supports SELinux only in permissive mode, which is enabled by default.

SELinux for Classic Management describes enabling SELinux on the following, which support SELinux enforcing mode: