Documentation

SELinux

Security-Enhanced Linux (SELinux) is a mandatory access control security mechanism implemented in the kernel.
When enabled, SELinux has two modes: enforcing and permissive.
SELinux is pre-installed and pre-configured in permissive mode in RedHat Enterprise Linux and its clones (Oracle Linux, Rocky Linux, CentOS)

Follow this procedure to enable and configure SELiunx with LPAR2RRD and STOR2RRD.

LPAR2RRD, STOR2RRD and Xormon have not been fully tested with SELiunx enabled and may behave unexpectedly.
The following procedure is provided as is without guarantee or support.
Note that does not include using 3rd party software which might be needed for some device monitoring

Note: run all commands as root

Install SELinux tools

yum install -y setools-console policycoreutils-python-utils

Check SELinux status

It should be disabled

getenforce
  Disabled

Enable SELinux in permissive mode and reboot

Enabling SELinux without rebooting is not possible.
If SELinux was previously disabled, the system needs to perform a full filesystem relabeling on the next boot.
Relabeling may take several minutes.

Set SELINUX=permissive in /etc/selinux/config and reboot

sed -i 's/^SELINUX=.*$/SELINUX=permissive/g' /etc/selinux/config
reboot

Configure SELiunx

SELinux booleans

setsebool -P httpd_execmem on
setsebool -P httpd_read_user_content on
setsebool -P httpd_can_network_connect on
setsebool -P httpd_can_network_connect_db on
setsebool -P httpd_can_sendmail on
setsebool -P httpd_unified on
setsebool -P httpd_enable_homedirs on

SELinux Semanage ALLOW port

semanage port -l | grep http_port_t
semanage port -a -t http_port_t -p tcp 80
semanage port -a -t http_port_t -p tcp 8443
semanage port -a -t http_port_t -p tcp 443

LPAR2RRD

chcon -R -t httpd_sys_rw_content_t /home/lpar2rrd/lpar2rrd
chcon -R -t httpd_sys_content_t /home/lpar2rrd/lpar2rrd/www
chcon -R -t httpd_sys_content_t /home/lpar2rrd/lpar2rrd/data
chcon -R -t httpd_sys_script_exec_t /home/lpar2rrd/lpar2rrd/bin
chcon -R -t httpd_sys_script_exec_t /home/lpar2rrd/lpar2rrd/load_*.sh
chcon -R -t httpd_sys_script_exec_t /home/lpar2rrd/lpar2rrd/lpar2rrd-cgi
chcon -R -t httpd_sys_script_exec_t /home/lpar2rrd/lpar2rrd/bin/vmware_install_image.sh

STOR2RRD

chcon -R -t httpd_sys_rw_content_t /home/stor2rrd/stor2rrd
chcon -R -t httpd_sys_script_exec_t /home/stor2rrd/stor2rrd/stor2rrd-cgi/
chcon -R -t httpd_sys_content_t /home/stor2rrd/stor2rrd/data/
chcon -R -t httpd_sys_content_t /home/stor2rrd/stor2rrd/www

Set SELinux to enforcing

setenforce 1
sed -i 's/^SELINUX=.*$/SELINUX=enforcing/g' /etc/selinux/config
getenforce

Troubleshoot SELinux / Logs

tail -n 500 /var/log/audit/audit.log | grep -i avc
grep "AVC" /var/log/audit/audit.log 
ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -i
ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent