How do I troubleshoot SELinux on the NFM-P?

Purpose

Perform this procedure if SELinux enforcing mode is enabled and you suspect that SELinux is affecting NFM-P operation.

Note: The procedure applies only to the NFM-P components that support SELinux enforcing mode, as listed in SELinux support scope.

Note: You must perform the procedure on each NFM-P station that has SELinux enforcing mode enabled.

Note: You require root user privileges on each station.

Note: A leading # character in a command line represents the root user prompt, and is not to be included in a typed command.

Steps
 

Log in as the root user on the standalone or primary NFM-P main server station.


Open a console window.


Enter the following:

cd /opt/nsp/nfmp/config/selinux/tools/bin ↵


Switch to SELinux permissive mode.

Note: The NFM-P main server can remain running during the switch from enforcing to permissive mode.

  1. Enter the following:

    ./selinuxenable.sh -p ↵

  2. Enter the following to verify that SELinux is in permissive mode:

    getenforce ↵

    The SELinux mode is displayed.

  3. View the command output to verify that SELinux is enabled in permissive mode.


Enter the following to show the number of system and NSP-domain AVCs:

./setroubleshoot.bash collect-avcs ↵

The following messages are displayed:

Generating RAW AVC file...

+ Total Number of distinct AVCs: n

    + Number of AVCS related to nsp_domain: n


If the command returns any NSP-domain AVCs, enter the following:

./setroubleshoot.bash resolve-nsp-avcs my_policy

where my_policy is a file name other than nsp_domain that does not include ‘module’

A policy module file with a .te extension is created in /opt/nsp/nfmp/config/selinux/tools/bin/tmp/policy.


WARNING 

WARNING

Extreme Security Risk

The policy module file generated in Step 6 must be reviewed by an experienced SELinux user before the file is loaded in a subsequent step, or system security may be seriously compromised.

The reviewer must ensure that the file does not include any entry that may constitute a security risk to your system.

Ensure that the generated policy module file passes a security review.

  1. Enlist an experienced SELinux user to review the policy module file.

  2. If the review reveals any AVCs that need to be included in the generic NSP SELinux policy, the reviewer must open a support ticket and include the SELinux logs data generated by running the following script:

    /opt/nsp/nfmp/config/selinux/tools/bin/cgselinuxlogs.sh

  3. Make note of the policy created in Step 6 in the event that the experienced SELinux user needs to modify or remove the policy in the future. Maintenance of the policy is the responsibility of the SELinux user.

Note: If the review reveals any AVC issues, you must not proceed to the next step until the AVC issues are resolved.


Close the console window.

End of steps