Search

Chapter 2. Configuring SELinux to exclude SAP HANA directories

download PDF

By default, any application for which no SELinux security policy has been defined is blocked by SELinux if your RHEL system is running with SELinux set to enforcing mode. As of today, SAP does not provide SELinux policies for SAP HANA. For running SAP HANA executables while SELinux is set to enforcing, a certain SELinux boolean has to be set, and the SAP HANA related directories have to be excluded from SELinux protection. You can also use the fapolicyd framework to protect your SAP HANA software. For more information, refer to the Configuring fapolicyd to allow only SAP HANA executables document.

Prerequisites

  • SAP HANA is installed and stopped, or not yet installed.
  • SELinux is available and set to enforcing mode.
  • The directories in which SAP HANA and related software are installed (typically /hana and /usr/sap) exist.

Procedure

  1. Use the following command to set the SELinux boolean selinuxuser_execmod to 1, allowing unconfined executables to use libraries that require text relocation (such as SAP HANA):

    # setsebool -P selinuxuser_execmod 1
  2. Use the following commands to relabel the directories and files used by SAP HANA (typically /hana and /usr/sap) so that SAP HANA can be run in unconfined mode:

    # semanage fcontext -a -t usr_t ‘/hana(/.)?’*
    # semanage fcontext -a -t usr_t ‘/usr/sap(/.)?’*
    # restorecon -Rv ‘/hana’
    # restorecon -Rv ‘/usr/sap’
    Note

    You can perform this step before or after installing SAP HANA, as all newly created directories and files below the upper level directories inherit the SELinux labels.

Verification

  • Use the following command to show the security context of a file or directory in /usr/bin and in /hana, confirming that the file or directory under /hana has the usr_t label:

    [root@host01 ~]# ls -lZ /usr/bin/ls
    -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 143296 Jan  6  2023 /usr/bin/ls
    [root@host01 ~]# ls -lZd /hana/shared
    drwxr-xr-x. 3 root root system_u:object_r:usr_t:s0 17 Apr 18 23:03 /hana/shared
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.