2.18.8 Settings for SELinux (for UNIX)
This section describes the steps required to operate JP1/IM - Manager when SELinux of Linux 8 or later is enabled.
In enabling or disabling SELinux security-context, you use semanage fcontext command and restorecon command.
- Organization of this subsection
(1) Setup for Auto-Start and Auto-Stop
If SELinux is enabled, the context type of jco_start and jco_stop SELinux security contexts must be set to bin_t.
Setup process is as follows:
# semanage fcontext -a -t bin_t '/etc/opt/jp1cons/jco_start' # semanage fcontext -a -t bin_t '/etc/opt/jp1cons/jco_stop' # restorecon -F /etc/opt/jp1cons/jco_start # restorecon -F /etc/opt/jp1cons/jco_stop
(2) Setup for IM database
If SELinux is set to be enabled, SELinux security-context must be Setup for File under the directory where IM database is installed, but IM database configuration, updating, and deletion are executed in internal operation in each command. You do not need to manually setup Individually.
In addition, enabling and disabling of SELinux security contexts are performed regardless of SELinux's Enable disable Status, but you do not need to operate enabled or disabled in the same way if you change Enable or disable IM database during operation after building IM database.
If Setup of SELinux security-context fails, SELinux continues without Stopped in Error because the subsequent operation is OK even if it is in Disabled Status. After that, if you change SELinux to Enabled Status, it becomes Error when IM database is started (including when it is started internally by commands related to IM database). If this occurs, re-execute Setup of SELinux security context (Execution of jimdbupdate command) according to the handling of the error message.
-
Trigger of enabling and disabling in SELinux security-context
The triggers of enabling and disabling in SELinux security-context of IM database are as follows:
Table 2‒7: Enabling and Disabling triggers for IM database Trigger
Supported Commands
Classification
Description
Newly constructed
-
jcodbsetup
-
jcfdbsetup
Setup
Enables SELinux security-context when the command is executed regardless of Status of Enabling or disabling.
Setup if the embedded HiRDB is not installed when the command is executed (skip if either the Integrated Monitoring DB or IM Configuration Management database is set up).
When SELinux is in Disabled, even if Setup in SELinux security-context fails, continues without Error because there is no issue with the subsequent operation. After that, if you change SELinux to Enabled, it will become Error when IM database is started (including internally started commands). If this occurs, re-setup of SELinux security context (Execution of jimdbupdate command) according to the handling of the error message.
Update
jimdbupdate
Setup or re-setup
Setup or re-setup SELinux security-context automatically when the commanded is executed regardless of whether SELinux is disabled.
If there are no HiRDB upgrades or schema changes, you can also Setup SELinux security context.
Delete
-
jcodbunsetup
-
jcfdbunsetup
Delete
Delete SELinux security-context when the command is executed regardless of whether SELinux is disabled..
Delete embedded HiRDB is installed and IM Configuration Management database is not set up when the command is executed. (skip if either the integrated monitoring DB or IM Configuration Management database is not set up).
-
-
Notes on upgrading JP1/IM - Manager from Version prior to 13-00 to 13-00 or later
If you are upgrading JP1/IM - Manager from a Version earlier than 13-00 to 13-00 or later when IM database is setup, be sure to execute jimdbupdate command and update IM database before making SELinux enabled.
Because JP1/IM - Manager pre-13-00 Version does not Setup SELinux security context to IM database, SELinux security context remains unset until you execute the jimdbupdate command. Therefore, if you turn enable SELinux in this Status, IM database fails to start and displays an error message prompting you to execute jimdbupdate command.
-
Setup Target Directories for SELinux Security Contexts
The following are the target directory which SELinux security contexts is set when /var/opt/jp1imm/dbms/JM0 (the default path of IM database for Physical host#) is assumed for install destination directory of IM database and SELinux security context type which is set in files under the directory:
#: Replace the path as necessary.
Target directory
Types of SELinux security contexts to Setup to the underlying File
Under /var/opt/jp1imm/dbms/JM0
user_t
Under /var/opt/jp1imm/dbms/JM0/bin
bin_t
Under /var/opt/jp1imm/dbms/JM0/lib
lib_t
Under /var/opt/jp1imm/dbms/JM0/bin/servers
bin_t
The path to the directory where IM database is installed is different for Physical host and Logical host as follows.
-
For Physical host
Follow the definition of setup information file (jimdbsetupinfo.conf) for the IM database setup for Physical host. The path is " Value of IMDBENVDIR /JM0".
-
For Logical host
Follow the definition of cluster IM database setup information file (jimdbclustersetupinfo.conf) for the IM database setup for logical host. The path is " the value of IMDBENVDIR/the value of JMLOGICALHOSTNUMBER".
-
(3) Setup for Intelligent Integrated Management Database
If SELinux is set to be enabled, SELinux security-context must be Setup for File under the directory where Intelligent Integrated Management Database is installed, but Intelligent Integrated Management Database configuration, updating, and deletion are executed in internal operation in each command. You do not need to manually setup Individually.
In addition, enabling and disabling of SELinux security contexts are performed regardless of SELinux's Enable disable Status, but you do not need to operate enabled or disabled in the same way if you change Enable or disable IM database during operation after building Intelligent Integrated Management Database.
If Setup of SELinux security-context fails, SELinux continues without Stopped in Error because the subsequent operation is OK even if it is in Disabled Status. If you change SELinux to Enabled Status, it will not become Error after that.
-
Trigger of enabling and disabling in SELinux security-context
The triggers of enabling and disabling in SELinux security-context of Intelligent Integrated Management Database are as follows:
Table 2‒8: Setup and Delete triggers for Intelligent Integrated Management Database Trigger
Supported Commands
Classification
Description
Newly constructed
jimgndbsetup
Setup
SELinux security-context is setup automatically when the command is executed regardless of SELinux is enabled or disabled.
Delete
jimgndbunsetup
Delete
SELinux security-context is deleted automatically when the command is executed regardless of SELinux is enabled or disabled.
-
Setup Target Directories for SELinux Security Contexts
The following are the target directory which SELinux security contexts is set when "/var/opt/jp1imm/dbms/imgndbbin/pgsql" (the default path of Intelligent Integrated Management Database for Physical host#) is assumed for install destination directory of Intelligent Integrated Management Database and SELinux security context type which is set in files under the directory:
#: Replace the path as necessary.
Target directory
Types of SELinux security contexts to Setup to the underlying File
Under /var/opt/jp1imm/dbms/imgndbbin/pgsql
postgresql_db_t
The path to the directory where Intelligent Integrated Management Database is installed is different for Physical host and Logical host as follows.
-
For Physical host
Follow the definition of setup information file (jimdbsetupinfo.conf) for the Intelligent Integrated Management Database setup for Physical host. The path is " Value of IMDBENVDIR/imgndbbin/pgsql ".
-
For Logical host
Follow the definition of cluster Intelligent Integrated Management Database setup information file (jimdbclustersetupinfo.conf) for the Intelligent Integrated Management Database setup for logical host. The path is " the value of IMDBENVDIR/the value of /imgndbbinLOGICALHOSTNUMBER /pgsql".
-