Using SELinux for SAP HANA
Abstract
Making open source more inclusive
Red Hat is committed to replacing problematic language in our code and documentation. We are beginning with these four terms: master, slave, blacklist, and whitelist. Due to the enormity of this endeavor, these changes will be gradually implemented over upcoming releases. For more details on making our language more inclusive, see our CTO Chris Wright’s message.
Providing feedback on Red Hat documentation
We appreciate your feedback on our documentation. Let us know how we can improve it.
Submitting feedback through Jira (account required)
- Make sure you are logged in to the Jira website.
- Provide feedback by clicking on this link.
- Enter a descriptive title in the Summary field.
- Enter your suggestion for improvement in the Description field. Include links to the relevant parts of the documentation.
- If you want to be notified about future updates, please make sure you are assigned as Reporter.
- Click Create at the bottom of the dialogue.
Chapter 1. Introduction to SELinux
SELinux provides enhanced security by enforcing security policies, using labels for files, processes and ports, and logging unauthorized access attempts.
SELinux is enabled and set to enforcing
mode on RHEL 9 by default and security policies for system processes are maintained by Red Hat. For more information, refer to Changing SELinux states and modes on RHEL. You can refer to SAP Note 3108302 - SAP HANA DB: Recommended OS Settings for RHEL 9, to know which HANA versions have been tested by SAP with SELinux set to enforcing
and unconfined
mode.
Red Hat recommends that you use SELinux in enforcing
mode to configure your RHEL systems running on SAP HANA. This document describes the necessary configuration changes that you must make.
In case you come across SELinux related issues while testing or running your SAP HANA system, SAP reserves the right to disable SELinux. However, most of the problems can be solved by changing SELinux mode from enforcing
to permissive
. The advantage is that your system is still operating while you analyze and solve the problem.
Chapter 2. Configuring SELinux to exclude SAP HANA directories
By default, any application for which no SELinux security policy has been defined is blocked by SELinux if your RHEL system is running with SELinux set to enforcing
mode. As of today, SAP does not provide SELinux policies for SAP HANA. For running SAP HANA executables while SELinux is set to enforcing, a certain SELinux boolean has to be set, and the SAP HANA related directories have to be excluded from SELinux protection. You can also use the fapolicyd
framework to protect your SAP HANA software. For more information, refer to the Configuring fapolicyd to allow only SAP HANA executables document.
Prerequisites
- SAP HANA is installed and stopped, or not yet installed.
-
SELinux is available and set to
enforcing
mode. -
The directories in which SAP HANA and related software are installed (typically
/hana
and/usr/sap
) exist.
Procedure
Use the following command to set the SELinux boolean
selinuxuser_execmod
to1
, allowing unconfined executables to use libraries that require text relocation (such as SAP HANA):setsebool -P selinuxuser_execmod 1
# setsebool -P selinuxuser_execmod 1
Copy to Clipboard Copied! Use the following commands to relabel the directories and files used by SAP HANA (typically
/hana
and/usr/sap
) so that SAP HANA can be run inunconfined
mode:semanage fcontext -a -t usr_t ‘/hana(/.)?’* semanage fcontext -a -t usr_t ‘/usr/sap(/.)?’* restorecon -Rv ‘/hana’ restorecon -Rv ‘/usr/sap’
# semanage fcontext -a -t usr_t ‘/hana(/.)?’* # semanage fcontext -a -t usr_t ‘/usr/sap(/.)?’* # restorecon -Rv ‘/hana’ # restorecon -Rv ‘/usr/sap’
Copy to Clipboard Copied! NoteYou can perform this step before or after installing SAP HANA, as all newly created directories and files below the upper level directories inherit the SELinux labels.
Verification
Use the following command to show the security context of a file or directory in
/usr/bin
and in/hana
, confirming that the file or directory under/hana
has theusr_t
label:ls -lZ /usr/bin/ls ls -lZd /hana/shared
[root@host01 ~]# ls -lZ /usr/bin/ls -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 143296 Jan 6 2023 /usr/bin/ls [root@host01 ~]# ls -lZd /hana/shared drwxr-xr-x. 3 root root system_u:object_r:usr_t:s0 17 Apr 18 23:03 /hana/shared
Copy to Clipboard Copied!
Chapter 3. Troubleshooting issues related to SELinux
For diagnosing issues related to SELinux, you can check the file /var/log/audit/audit.log
, as follows:
To query Audit logs, use the
ausearch
tool. SELinux decisions, such as allowing or disallowing access, are cached in the Access Vector Cache (AVC). Therefore, you should use theAVC
andUSER_AVC
values for the message type parameter, for example:ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts boot
# ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts boot
Copy to Clipboard Copied! - If there are no matches, check if the Audit daemon is running.
If it is not running, then perform the following steps:
- Restart the audit.
- Re-run the denied scenario.
- Check the Audit log again.
For more information about solving SELinux related issues, see Troubleshooting problems related to SELinux.
Chapter 4. Additional information
-
Depending on your environment (cloud providers, third party user tools, and agents), you should change SELinux labels on additional mount points (
/opt
,/sapmnt
, and/trans
).