15.10.4 SELinux-related settings (Linux only)
This section describes the procedure for operating JP1/AJS3 in a Linux environment (Linux 8 or later) in which SELinux is enabled.
Note that the procedure described assumes that a root or non-root user is handled as unconfined_u or an unconfined SELinux user. If you use SELinux users other than unconfined_u, do so at your own discretion.
To operate JP1/AJS3 in a Linux environment (Linux 8 or later) in which SELinux is enabled, you must set the OS default labels again and configure the security context after installing JP1/AJS3. For details about the procedure for setting the OS default labels again, see 12.2.6 Installation in Linux.
The security context can be configured by using the semanage fcontext command and can be reset by using the restorecon command.
- Organization of this subsection
(1) Settings for JP1/AJS3 - Manager
This section describes how to operate JP1/AJS3 - Manager in a Linux environment (Linux 8 or later) in which SELinux is enabled.
(a) Settings necessary for JP1/AJS3 - Manager
In an environment in which SELinux is enabled, the context type of the JP1/AJS3 - Manager executable file must be set to bin_t. The setting procedure is as follows:
-
Set the context type of the relevant file to bin_t by executing the following commands:
# find /etc/opt/jp1ajs2 -type f -perm /u=x -exec semanage fcontext -a -t bin_t '{}' \; # restorecon -FR /etc/opt/jp1ajs2 # semanage fcontext -a -t bin_t '/opt/jp1ajs2/tools/[^/]*' # semanage fcontext -a -t bin_t '/opt/jp1ajs2/tools/IMDDAdapter/IMDDAdapter_HITACHI_JP1_AJS3.sh' # semanage fcontext -a -t bin_t '/opt/jp1ajs2/tools/RHELDB/[^/]*' # semanage fcontext -a -t bin_t '/opt/jp1ajs2/tools/RHELDB/OLDPP/[^/]*' # semanage fcontext -a -t bin_t '/opt/jp1ajs2/tools/SLESDB/[^/]*' # restorecon -FR /opt/jp1ajs2/tools
(b) Settings for the database
In an environment in which SELinux is enabled, configure the security context for the files in the database installation directory.
■ Settings to be specified if the database is installed in the default installation directory
Use the following procedure to configure the security context for the files in the database installation directory:
-
Configure the security context for the files in the database installation directory by executing the following commands:
# semanage fcontext -a -t usr_t /opt/jp1ajs2/embdb/setup-identifier'(/.*)?' # semanage fcontext -a -t bin_t /opt/jp1ajs2/embdb/setup-identifier/bin'(/.*)?' # semanage fcontext -a -t lib_t /opt/jp1ajs2/embdb/setup-identifier/lib'(/.*)?' # semanage fcontext -a -t bin_t /opt/jp1ajs2/embdb/setup-identifier/lib/servers'(/.*)?' # semanage fcontext -a -t lib_t /opt/jp1ajs2/embdb/setup-identifier/client/lib'(/.*)?' # semanage fcontext -a -t bin_t /opt/jp1ajs2/embdb/setup-identifier/client/utl'(/.*)?' # restorecon -FR /opt/jp1ajs2/embdb/setup-identifier
■ Settings to be specified if the database is not installed in the default installation directory
If the database is installed in a directory that is not the default installation directory, configure the security context for the files in the directory in which the database is installed. The configuration procedure is as follows:
-
Configure the security context for the files in the database installation directory by executing the following commands:
# semanage fcontext -a -t usr_t installation-directory'(/.*)?' # semanage fcontext -a -t bin_t installation-directory/bin'(/.*)?' # semanage fcontext -a -t lib_t installation-directory/lib'(/.*)?' # semanage fcontext -a -t bin_t installation-directory/lib/servers'(/.*)?' # semanage fcontext -a -t lib_t installation-directory/client/lib'(/.*)?' # semanage fcontext -a -t bin_t installation-directory/client/utl'(/.*)?' # restorecon -FR installation-directory
(c) Settings to be specified if a mail linkage function is used
In an environment in which SELinux is enabled, create a policy for adding a function-specific context type and set it for jpomailrecv. The following shows example settings.
■ Settings to be specified if sendmail is used
-
Create the following code (by using a text editor such as vi), and then save the code in the jp1ajs_unconfined.te file:
module jp1ajs_unconfined 1.0; require { type sendmail_t ; type unconfined_t ; attribute entry_type, exec_type, file_type ; class process transition ; class file { getattr open read execute entrypoint } ; } type jp1ajs_unconfined_exec_t ; typeattribute jp1ajs_unconfined_exec_t entry_type, exec_type, file_type ; allow sendmail_t unconfined_t:process transition ; allow sendmail_t jp1ajs_unconfined_exec_t:file { getattr open read execute }; allow unconfined_t jp1ajs_unconfined_exec_t:file entrypoint ; type_transition sendmail_t jp1ajs_unconfined_exec_t:process unconfined_t ; -
Execute the following command:
# checkmodule -M -m -o jp1ajs_unconfined.mod jp1ajs_unconfined.te # semodule_package -o jp1ajs_unconfined.pp -m jp1ajs_unconfined.mod # semodule -i jp1ajs_unconfined.pp # semanage fcontext -a -t jp1ajs_unconfined_exec_t /opt/jp1ajs2/bin/jpomailrecv # restorecon -F /opt/jp1ajs2/bin/jpomailrecv
■ Settings to be specified if Postfix is used
-
Create the following code (by using a text editor such as vi), and then save the code in the jp1ajs_unconfined.te file:
module jp1ajs_unconfined 1.0; require { type postfix_local_t ; type unconfined_t ; attribute entry_type, exec_type, file_type ; class process transition ; class file { getattr open read execute entrypoint } ; } type jp1ajs_unconfined_exec_t ; typeattribute jp1ajs_unconfined_exec_t entry_type, exec_type, file_type ; allow postfix_local_t unconfined_t:process transition ; allow postfix_local_t jp1ajs_unconfined_exec_t:file { getattr open read execute }; allow unconfined_t jp1ajs_unconfined_exec_t:file entrypoint ; type_transition postfix_local_t jp1ajs_unconfined_exec_t:process unconfined_t ; -
Execute the following command:
# checkmodule -M -m -o jp1ajs_unconfined.mod jp1ajs_unconfined.te # semodule_package -o jp1ajs_unconfined.pp -m jp1ajs_unconfined.mod # semodule -i jp1ajs_unconfined.pp # semanage fcontext -a -t jp1ajs_unconfined_exec_t /opt/jp1ajs2/bin/jpomailrecv # restorecon -F /opt/jp1ajs2/bin/jpomailrecv
(2) Settings for JP1/AJS3 - Agent
This section describes how to operate JP1/AJS3 - Agent in a Linux environment (Linux 8 or later) in which SELinux is enabled.
(a) Settings necessary for JP1/AJS3 - Agent
In an environment in which SELinux is enabled, the context type of the JP1/AJS3 - Agent executable file must be set to bin_t. The setting procedure is as follows:
-
Set the context type of the relevant file to bin_t by executing the following commands:
# find /etc/opt/jp1ajs2 -type f -perm /u=x -exec semanage fcontext -a -t bin_t '{}' \; # restorecon -FR /etc/opt/jp1ajs2 # semanage fcontext -a -t bin_t '/opt/jp1ajs2/tools/[^/]*' # semanage fcontext -a -t usr_t /opt/jp1ajs2/tools/embsch # restorecon -FR /opt/jp1ajs2/tools
(b) Settings to be specified if a mail linkage function is used
In an environment in which SELinux is enabled, create a policy for adding a function-specific context type and set it for jpomailrecv. The following shows example settings.
■ Settings to be specified if sendmail is used
-
Create the following code (by using a text editor such as vi), and then save the code in the jp1ajs_unconfined.te file:
module jp1ajs_unconfined1.0; require { type sendmail_t ; type unconfined_t ; attribute entry_type, exec_type, file_type ; class process transition ; class file { getattr open read execute entrypoint } ; } type jp1ajs_unconfined_exec_t ; typeattribute jp1ajs_unconfined_exec_t entry_type, exec_type, file_type ; allow sendmail_t unconfined_t:process transition ; allow sendmail_t jp1ajs_unconfined_exec_t:file { getattr open read execute }; allow unconfined_t jp1ajs_unconfined_exec_t:file entrypoint ; type_transition sendmail_t jp1ajs_unconfined_exec_t:process unconfined_t ; -
Execute the following command:
# checkmodule -M -m -o jp1ajs_unconfined.mod jp1ajs_unconfined.te # semodule_package -o jp1ajs_unconfined.pp -m jp1ajs_unconfined.mod # semodule -i jp1ajs_unconfined.pp # semanage fcontext -a -t jp1ajs_unconfined_exec_t /opt/jp1ajs2/bin/jpomailrecv # restorecon -F /opt/jp1ajs2/bin/jpomailrecv
■ Settings to be specified if Postfix is used
-
Create the following code (by using a text editor such as vi), and then save the code in the jp1ajs_unconfined.te file:
module jp1ajs_unconfined 1.0; require { type postfix_local_t ; type unconfined_t ; attribute entry_type, exec_type, file_type ; class process transition ; class file { getattr open read execute entrypoint } ; } type jp1ajs_unconfined_exec_t ; typeattribute jp1ajs_unconfined_exec_t entry_type, exec_type, file_type ; allow postfix_local_t unconfined_t:process transition ; allow postfix_local_t jp1ajs_unconfined_exec_t:file { getattr open read execute }; allow unconfined_t jp1ajs_unconfined_exec_t:file entrypoint ; type_transition postfix_local_t jp1ajs_unconfined_exec_t:process unconfined_t ; -
Execute the following command:
# checkmodule -M -m -o jp1ajs_unconfined.mod jp1ajs_unconfined.te # semodule_package -o jp1ajs_unconfined.pp -m jp1ajs_unconfined.mod # semodule -i jp1ajs_unconfined.pp # semanage fcontext -a -t jp1ajs_unconfined_exec_t /opt/jp1ajs2/bin/jpomailrecv # restorecon -F /opt/jp1ajs2/bin/jpomailrecv
(3) Settings for JP1/AJS3 - Web Console
In an environment in which SELinux is enabled, the context type of the files that start and stop the JP1/AJS3 HTTP Server service and the JP1/AJS3 Web Application Server service (JP1/AJS3 - Web Console) must be set to bin_t. The setting procedure is as follows:
-
Execute the following command:
# semanage fcontext -a -t bin_t '/etc/opt/jp1ajs3web/jajs_web' # semanage fcontext -a -t bin_t '/etc/opt/jp1ajs3web/jajs_web_stop' # restorecon -F /etc/opt/jp1ajs3web/jajs_web # restorecon -F /etc/opt/jp1ajs3web/jajs_web_stop # semanage fcontext -a -t bin_t '/etc/rc.d/init.d/jp1ajs3web' # restorecon -F /etc/rc.d/init.d/jp1ajs3web
-
If JP1/Base is not installed on the same host, execute the following commands:
# semanage fcontext -a -t usr_t '/opt/hitachi/HNTRLib2/etc(/.*)?' # restorecon -R -F /opt/hitachi/HNTRLib2/etc