SELinux configuration
Swarm supports SELinux which is an advanced access control mechanism that improves security for Linux distributions.
SELinux operates in one of three modes:
- enforcing: this mode blocks and logs any actions that do not match the defined security policy. This is the default mode for SELinux.
- permissive: this mode logs actions that do not match the defined security policy but these actions are not blocked.
- disabled: in this mode SELinux is off, actions are not blocked and are not logged.
To check the mode SELinux is operating in, view the /etc/selinux/config
file with vi or a similar editor:
root $ vi /etc/selinux/config
SELinux must be configured to enable it to work correctly with Swarm, these configuration steps are shown below.
You must complete the Helix Swarm package Installation steps, and the Post-installation configuration steps before configuring SELinux.
Configure SELinux to enforcing mode
Run the following commands as root:
- Install the package that contains the semanage configuration tool, this is used to configure SELinux:
- CentOS/RHEL 7: Install the
policycoreutils-python
package: - RHEL 8: Install the
policycoreutils-python-utils
package: - RHEL 9: Install the
policycoreutils-python-utils
package: - Check the current SELinux mode:
- SELinux will report its mode as;
enforcing
,permissive
, ordisabled
.- If the mode is not set correctly edit the
/etc/selinux/config
file with vi or a similar editor. - Edit the config file so that
SELinux=
is set toenforcing
. - Save the config file.
- Reboot the server to complete the SELinux mode change.
root $ vi /etc/selinux/config
- If the mode is not set correctly edit the
- Allow content in /opt/perforce/swarm to be read and written by the httpd process:
- Allow the httpd process to connect to other networked services, for example P4D and Redis:
- Allow comment attachment thumbnails to be created:
- Allow the files in p4-bin to be executed by the httpd process:
- Remove the executable constraints on Redis, allowing it to be started by systemd at boot time:
- Restart the system:
- Check that you can log in to Swarm.
- Only if required: Relabel your filesystem, see note before relabeling:
- Reboot the server.
- Check that you can log in to Swarm.
- SELinux is now configured for Swarm.
Follow the instructions for your OS distribution:
root $ yum install policycoreutils-python
root $ yum install policycoreutils-python-utils
root $ yum install policycoreutils-python-utils
root $ getenforce
root $ semanage fcontext -a -t httpd_sys_rw_content_t "/opt/perforce/swarm(/.*)?"
root $ restorecon -R /opt/perforce/swarm
root $ setsebool -P httpd_can_network_connect 1
root $ setsebool -P httpd_tmp_exec 1
root $ semanage fcontext -a -t httpd_sys_script_exec_t '/opt/perforce/swarm/p4-bin(/.*)?' root $ restorecon -R -v /opt/perforce/swarm/p4-bin
root $ semanage fcontext -a -t bin_t /opt/perforce/swarm/sbin/redis-server-swarm root $ restorecon -v /opt/perforce/swarm/sbin/redis-server-swarm
root $ systemctl restart httpd
Relabeling your file system can be a time consuming process, it is recommended that you only do this if you need to. This depends entirely on your SELinux setup, Perforce cannot give you advice on this.
root $ touch /.autorelabel
If you can not log in to Swarm it is possible that SELinux is blocking Swarm because its configuration is incorrect. You will need to troubleshoot the SELinux configuration to find any issues.
Install the setroubleshoot
package, this contains sealert
which is used when troubleshooting SELinux:
root $ yum install setroubleshoot
sealert
helps you to interpret the contents of the audit.log
. Run the following command:
root $ sealert -a /var/log/audit/audit.log
Error message: If you see an error message with a title similar to the message below, it may be because you are running CentOS/RHEL on a Virtual Machine (VM).
root $ SELinux is preventing /usr/sbin/ldconfig from write access on the directory etc.
Install open-vm-tools
on the VM and reboot the VM.
root $ yum install open-vm-tools
Configure SELinux permissive or disabled mode
Run the following as root:
- Check the current SELinux mode:
- SELinux will report its mode as;
enforcing
,permissive
, ordisabled
.- If the mode is not set correctly edit the
/etc/selinux/config
file with vi or a similar editor. - Edit the config file so that
SELinux=
is set topermissive
ordisabled
as required. - Save the config file.
- Reboot the server to complete the SELinux mode change.
root $ vi /etc/selinux/config
- If the mode is not set correctly edit the
- Check that you can log in to Swarm.
- SELinux is now configured for Swarm.
root $ getenforce