Red Hat SummitEste conteúdo não está disponível no idioma selecionado.
Using SELinux for SAP HANA
Abstract
Making open source more inclusive
Red Hat is committed to replacing problematic language in our code and documentation. We are beginning with these four terms: master, slave, blacklist, and whitelist. Due to the enormity of this endeavor, these changes will be gradually implemented over upcoming releases. For more details on making our language more inclusive, see our CTO Chris Wright’s message.
Providing feedback on Red Hat documentation
We appreciate your feedback on our documentation. Let us know how we can improve it.
Submitting feedback through Jira (account required)
- Make sure you are logged in to the Jira website.
- Click on this link to provide feedback.
- Enter a descriptive title in the Summary field.
- Enter your suggestion for improvement in the Description field. Include links to the relevant parts of the documentation.
- Click Create at the bottom of the dialogue.
Chapter 1. Introduction to SELinux
SELinux provides enhanced security by enforcing security policies, using labels for files, processes and ports, and logging unauthorized access attempts.
SELinux is enabled and set to enforcing mode on RHEL 9 by default and security policies for system processes are maintained by Red Hat. For more information, refer to Changing SELinux states and modes on RHEL. You can refer to SAP Note 3108302 - SAP HANA DB: Recommended OS Settings for RHEL 9, to know which HANA versions have been tested by SAP with SELinux set to enforcing and unconfined mode.
Red Hat recommends that you use SELinux in enforcing mode to configure your RHEL systems running on SAP HANA. This document describes the necessary configuration changes that you must make.
In case you come across SELinux related issues while testing or running your SAP HANA system, SAP reserves the right to disable SELinux. However, most of the problems can be solved by changing SELinux mode from enforcing to permissive. The advantage is that your system is still operating while you analyze and solve the problem.
Chapter 2. Configuring SELinux to exclude SAP HANA directories
By default, any application for which no SELinux security policy has been defined is blocked by SELinux if your RHEL system is running with SELinux set to enforcing mode. As of today, SAP does not provide SELinux policies for SAP HANA. For running SAP HANA executables while SELinux is set to enforcing, a certain SELinux boolean has to be set, and the SAP HANA related directories have to be excluded from SELinux protection. You can also use the fapolicyd framework to protect your SAP HANA software. For more information, refer to the Configuring fapolicyd to allow only SAP HANA executables document.
Prerequisites
- SAP HANA is installed and stopped, or not yet installed.
-
SELinux is available and set to
enforcingmode. -
The directories in which SAP HANA and related software are installed (typically
/hanaand/usr/sap) exist.
Procedure
Use the following command to set the SELinux boolean
selinuxuser_execmodto1, allowing unconfined executables to use libraries that require text relocation (such as SAP HANA):# setsebool -P selinuxuser_execmod 1Use the following commands to relabel the directories and files used by SAP HANA (typically
/hanaand/usr/sap) so that SAP HANA can be run inunconfinedmode:# semanage fcontext -a -t usr_t '/hana(/.*)?' # semanage fcontext -a -t usr_t '/lss/shared(/.*)?' # semanage fcontext -a -t usr_t '/usr/sap(/.*)?' # restorecon -Rv '/hana' # restorecon -Rv '/lss/shared' # restorecon -Rv '/usr/sap'NoteYou can perform this step before or after installing SAP HANA, as all newly created directories and files below the upper level directories inherit the SELinux labels.
Verification
Use the following command to show the security context of a file or directory in
/usr/binand in/hana, confirming that the file or directory under/hanahas theusr_tlabel:[root@host01 ~]# ls -lZ /usr/bin/ls -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 143296 Jan 6 2023 /usr/bin/ls [root@host01 ~]# ls -lZd /hana/shared drwxr-xr-x. 3 root root system_u:object_r:usr_t:s0 17 Apr 18 23:03 /hana/shared
Chapter 3. Troubleshooting issues related to SELinux
For diagnosing issues related to SELinux, you can check the file /var/log/audit/audit.log, as follows:
To query Audit logs, use the
ausearchtool. SELinux decisions, such as allowing or disallowing access, are cached in the Access Vector Cache (AVC). Therefore, you should use theAVCandUSER_AVCvalues for the message type parameter, for example:# ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts boot- If there are no matches, check if the Audit daemon is running.
If it is not running, perform the following steps:
- Restart the audit.
- Re-run the denied scenario.
- Check the Audit log again.
For more information about solving SELinux-related issues, see Troubleshooting problems related to SELinux.
Chapter 4. Additional information
-
Depending on your environment (cloud providers, third party user tools, and agents), you should change SELinux labels on additional mount points (
/opt,/sapmnt, and/trans).
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}