-
Title
SELinux configuration for Privilege Manager and Management Console for Unix (MCU) -
Description
Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies. When running in 'Enforcing' mode, which is the default for distributions such as Red Hat Enterprise Linux and CentOS, it may interfere with the normal behaviour of Privilege Manager.The main problems have been found when configuring the questusr and pmpolicy service accounts on a Primary Policy Server and remotely accessing these accounts via ssh, due to the security contexts under which these actions are executed.For example, when configuring a Primary Policy Server through the MCU, or configuring the service account on a pre-configured Primary Policy Server via the MCU System settings, the following error may appear in the output panel:Failed to connect to host X.X.X.X : xxx.xxx.xxx Verify the username and password and confirm that you can manually connect to the host X.X.X.X via SSH. Also try to manually telnet to host X.X.X.X on the SSH port and verify that the SSH version is returned ( telnet X.X.X.X 22 ) -
Cause
During this process, MCU needs to access the /var/opt/quest/home/questusr/.ssh/authorized_keys file via SSH, which is prevented by SELinux since /var is not the usual place for a user home and therefore has a different security context.
A message similar to the following one appears in /var/log/audit/audit.log:
type=AVC msg=audit(1431011295.352:623): avc: denied { read } for pid=9856 comm="sshd" name="authorized_keys" dev="dm-0" ino=33567082 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=file
-
Resolution
Changing the SELinux mode to 'Permissive' will allow this operation (and any other that would be prevented under 'Enforcing' mode), while logging such actions as "denied" in the audit.log file, but it is not recommended since it disables SELinux protection.
A better option is to configure SELinux to allow Privilege Manager set up in 'Enforcing' mode. From the multiple ways to do this, we recommend having the following lines added to the '/etc/selinux/targeted/contexts/files/file_contexts.homedirs' file. Ideally, this should be done before configuring the service account via the MCU, or configuring the policy server using the 'pmsrvconfig' command:
/var/opt/quest/home/questusr(/.*)? unconfined_u:object_r:user_home_t:s0
/var/opt/quest/qpm4u/pmpolicy(/.*)? unconfined_u:object_r:user_home_t:s0This change causes the questusr and pmpolicy home directories to be created with the security context of a user home, allowing the Primary Policy Server configuration process to succeed. If the service accounts have already been created, you can update the security contexts on the home directories and subsequent files by running the following command:
restorecon -vR /var/opt/quest/
As a side effect, this process may leave the /etc/group file in a wrong context after creating the service accounts, which can cause problems such as the login page freezing after next restart. This is fixed by executing the following command, which restores the group file to its original context:
restorecon -v /etc/group
Any other conflicts that may appear with other functionality or with a different SELinux setup will also be logged in the audit file and can be fixed similarly.
-
Additional Information
It is important that the administrator is familiar with SELinux and makes sure that these modifications will not create any security issue in the environment.