Chapter 2. Configuring SELinux to exclude SAP HANA directories
By default, any application for which no SELinux security policy has been defined is blocked by SELinux if your RHEL system is running with SELinux set to enforcing
mode. As of today, SAP does not provide SELinux policies for SAP HANA. For running SAP HANA executables while SELinux is set to enforcing, a certain SELinux boolean has to be set, and the SAP HANA related directories have to be excluded from SELinux protection. You can also use the fapolicyd
framework to protect your SAP HANA software. For more information, refer to the Configuring fapolicyd to allow only SAP HANA executables document.
Prerequisites
- SAP HANA is installed and stopped, or not yet installed.
-
SELinux is available and set to
enforcing
mode. -
The directories in which SAP HANA and related software are installed (typically
/hana
and/usr/sap
) exist.
Procedure
Use the following command to set the SELinux boolean
selinuxuser_execmod
to1
, allowing unconfined executables to use libraries that require text relocation (such as SAP HANA):# setsebool -P selinuxuser_execmod 1
Use the following commands to relabel the directories and files used by SAP HANA (typically
/hana
and/usr/sap
) so that SAP HANA can be run inunconfined
mode:# semanage fcontext -a -t usr_t ‘/hana(/.)?’* # semanage fcontext -a -t usr_t ‘/usr/sap(/.)?’* # restorecon -Rv ‘/hana’ # restorecon -Rv ‘/usr/sap’
NoteYou can perform this step before or after installing SAP HANA, as all newly created directories and files below the upper level directories inherit the SELinux labels.
Verification
Use the following command to show the security context of a file or directory in
/usr/bin
and in/hana
, confirming that the file or directory under/hana
has theusr_t
label:[root@host01 ~]# ls -lZ /usr/bin/ls -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 143296 Jan 6 2023 /usr/bin/ls [root@host01 ~]# ls -lZd /hana/shared drwxr-xr-x. 3 root root system_u:object_r:usr_t:s0 17 Apr 18 23:03 /hana/shared