Chapter 3. Security and SAP Solutions

SELinux is a security technology for process isolation to mitigate attacks via privilege escalation. SELinux is enabled on RHEL 8 by default and security policies for system processes are maintained by Red Hat. However, this does not apply to 3rd party applications, such as SAP HANA and S/4HANA. In previous releases, it was recommended to completely disable SELinux on RHEL when installing SAP software.

This has now changed with RHEL for SAP Solutions, and customers may use SELinux in the context of production SAP HANA and S/4HANA deployments.

Red Hat uses the Policy-Based Decryption (PBD) process by using multiple technologies to enable the unlocking of encrypted root and secondary volumes of hard drives.

Network Bound Disk Encryption (NBDE), delivered along with Red Hat Enterprise Linux, is a subcategory of PBD that allows binding encrypted volumes to a special server known as a tang server.

Tested for compliance with SAP HANA, customers of RHEL for SAP Solutions can use NBDE to run SAP HANA DB with encrypted hard drives leveraging automated unlocking capabilities via Tang server.

File access policy Daemon fapolicyd is a technology provided in RHEL to determine access rights to files based on a trust database and file or process attributes. It helps customers to ensure data remains protected even in case an attacker has successfully gained control over certain processes.