SELinux configuration

Swarm supports SELinux which is an advanced access control mechanism that improves security for Linux distributions.

SELinux operates in one of three modes:

  • enforcing: this mode blocks and logs any actions that do not match the defined security policy. This is the default mode for SELinux.
  • permissive: this mode logs actions that do not match the defined security policy but these actions are not blocked.
  • disabled: in this mode SELinux is off, actions are not blocked and are not logged.
Tip

To check the mode SELinux is operating in, view the /etc/selinux/config file with vi or a similar editor:

root $ vi /etc/selinux/config

SELinux must be configured to enable it to work correctly with Swarm, these configuration steps are shown below.

Note

You must complete the Helix Swarm package Installation steps, and the Post-installation configuration steps before configuring SELinux.

Configure SELinux to enforcing mode

Run the following commands as root:

  1. Install the package that contains the semanage configuration tool, this is used to configure SELinux:

    2. Follow the instructions for your OS distribution:

    • CentOS/RHEL 7: Install the policycoreutils-python package:

      • root $ yum install policycoreutils-python

    • RHEL 8: Install the policycoreutils-python-utils package:

      • root $ yum install policycoreutils-python-utils

    • RHEL 9: Install the policycoreutils-python-utils package:

      • root $ yum install policycoreutils-python-utils

  2. Check the current SELinux mode:

    3. root $ getenforce

  3. SELinux will report its mode as; enforcing, permissive, or disabled.
    1. If the mode is not set correctly edit the /etc/selinux/config file with vi or a similar editor.

      2. root $ vi /etc/selinux/config

    2. Edit the config file so that SELinux= is set to enforcing .
    3. Save the config file.
    4. Reboot the server to complete the SELinux mode change.
  4. Allow content in /opt/perforce/swarm to be read and written by the httpd process:
    5. root $ semanage fcontext -a -t httpd_sys_rw_content_t "/opt/perforce/swarm(/.*)?"
    root $ restorecon -R /opt/perforce/swarm
  5. Allow the httpd process to connect to other networked services, for example P4D and Redis:

    6. root $ setsebool -P httpd_can_network_connect 1

  6. Allow comment attachment thumbnails to be created:

    7. root $ setsebool -P httpd_tmp_exec 1

  7. Allow the files in p4-bin to be executed by the httpd process:
    8. root $ semanage fcontext -a -t httpd_sys_script_exec_t '/opt/perforce/swarm/p4-bin(/.*)?'
root $ restorecon -R -v /opt/perforce/swarm/p4-bin
  8. Remove the executable constraints on Redis, allowing it to be started by systemd at boot time:

    9. root $ semanage fcontext -a -t bin_t /opt/perforce/swarm/sbin/redis-server-swarm
root $ restorecon -v /opt/perforce/swarm/sbin/redis-server-swarm

  9. Restart the system:

    10. root $ systemctl restart httpd

  10. Check that you can log in to Swarm.
  11. Only if required: Relabel your filesystem, see note before relabeling:

    12. Important

    Relabeling your file system can be a time consuming process, it is recommended that you only do this if you need to. This depends entirely on your SELinux setup, Perforce cannot give you advice on this.

    root $ touch /.autorelabel

  12. Reboot the server.
  13. Check that you can log in to Swarm.
  14. SELinux is now configured for Swarm.
Note

If you can not log in to Swarm it is possible that SELinux is blocking Swarm because its configuration is incorrect. You will need to troubleshoot the SELinux configuration to find any issues.

Install the setroubleshoot package, this contains sealert which is used when troubleshooting SELinux:

root $ yum install setroubleshoot

sealert helps you to interpret the contents of the audit.log. Run the following command:

root $ sealert -a /var/log/audit/audit.log

Error message: If you see an error message with a title similar to the message below, it may be because you are running CentOS/RHEL on a Virtual Machine (VM).

root $ SELinux is preventing /usr/sbin/ldconfig from write access on the directory etc.

Install open-vm-tools on the VM and reboot the VM.

root $ yum install open-vm-tools

Configure SELinux permissive or disabled mode

Run the following as root:

  1. Check the current SELinux mode:

    2. root $ getenforce

  2. SELinux will report its mode as; enforcing, permissive, or disabled.
    1. If the mode is not set correctly edit the /etc/selinux/config file with vi or a similar editor.

      2. root $ vi /etc/selinux/config

    2. Edit the config file so that SELinux= is set to permissive or disabled as required.
    3. Save the config file.
    4. Reboot the server to complete the SELinux mode change.
  3. Check that you can log in to Swarm.
  4. SELinux is now configured for Swarm.