Rechercher
SupportConsoleDéveloppeursCommencer un essaiContact

Ce contenu n'est pas disponible dans la langue sélectionnée.

Chapter 2. Configuring SELinux to exclude SAP HANA directories

download PDF

By default, any application for which no SELinux security policy has been defined is blocked by SELinux if your RHEL system is running with SELinux set to enforcing mode. As of today, SAP does not provide SELinux policies for SAP HANA. For running SAP HANA executables while SELinux is set to enforcing, a certain SELinux boolean has to be set, and the SAP HANA related directories have to be excluded from SELinux protection. You can also use the fapolicyd framework to protect your SAP HANA software. For more information, refer to the Configuring fapolicyd to allow only SAP HANA executables document.

Prerequisites

  • SAP HANA is installed and stopped, or not yet installed.
  • SELinux is available and set to enforcing mode.
  • The directories in which SAP HANA and related software are installed (typically /hana and /usr/sap) exist.

Procedure

  1. Use the following command to set the SELinux boolean selinuxuser_execmod to 1, allowing unconfined executables to use libraries that require text relocation (such as SAP HANA): 

    # setsebool -P selinuxuser_execmod 1

  2. Use the following commands to relabel the directories and files used by SAP HANA (typically /hana and /usr/sap) so that SAP HANA can be run in unconfined mode: 

    # semanage fcontext -a -t usr_t ‘/hana(/.)?’*
# semanage fcontext -a -t usr_t ‘/usr/sap(/.)?’*
# restorecon -Rv ‘/hana’
# restorecon -Rv ‘/usr/sap’
    Note

    You can perform this step before or after installing SAP HANA, as all newly created directories and files below the upper level directories inherit the SELinux labels.

Verification

  • Use the following command to show the security context of a file or directory in /usr/bin and in /hana, confirming that the file or directory under /hana has the usr_t label: 

    [root@host01 ~]# ls -lZ /usr/bin/ls
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 143296 Jan  6  2023 /usr/bin/ls
[root@host01 ~]# ls -lZd /hana/shared
drwxr-xr-x. 3 root root system_u:object_r:usr_t:s0 17 Apr 18 23:03 /hana/shared
Red Hat logoGithubRedditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez leBlog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

© 2024 Red Hat, Inc.