How do I monitor a Linux system with SELinux Enforced with AppManager? (NETIQKB72362)

  • Document ID:7772362
  • Creation Date:27-May-2010
  • Modified Date:27-May-2010
    • Micro Focus Products:
      AppManager

Environment

AppManager UNIX

SELinux

RedHat

CentOS

SuSE

Situation

The NetIQ UNIX agent will be blocked from performing essential activities on a Linux system if SELinux is set to Enforcing.

Resolution

The easiest way to ensure proper system monitoring and to avoid log spam is to disable SELinux on monitored Linux hosts.

If usage of SELinux is a requirement in your environment you may want to change it to Permissive mode which won't block activities it sees as suspicious (SELinux will only log them in Permissive mode).

If your environment requires Enforcing mode, the SELinux subsystem will need to be properly configured for the NetIQ UNIX Agent. To be fully proper, the AppManager UNIX components of the NetIQ UNIX Agent will need to run as a non-root user.

Please note at this time only the AppManager components of the UNIX Agent have the ability to run as non-root, this guide was developed with a focus on the AppManager components of the UNIX Agent. This is also an unofficial guide, support for SELinux is best effort at the moment due to the complexities of the SELinux subsystem.

Lets first check our SELinux users:

[root@HTSRH55 ~]# semanage user -l

                Labeling   MLS/       MLS/                         
SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles

root            user       s0         SystemLow-SystemHigh           system_r sysadm_r user_r
system_u        user       s0         SystemLow-SystemHigh           system_r
user_u          user       s0         SystemLow-SystemHigh           system_r sysadm_r user_r

These are our SELinux users. These users are disconnected from system users and are more of user 'groups' multiple system users can part of.

We are going to add a NetIQ SELinux user to properly perform monitoring tasks, we will try and isolate as many NetIQ activities as possible within this NetIQ SELinux user.

[root@HTSRH55 ~]# semanage user -P user -R "system_r sysadm_r user_r" -a netiq_u
[root@HTSRH55 ~]# semanage user -l

                Labeling   MLS/       MLS/                         
SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles

netiq_u         user       s0         s0                             system_r sysadm_r user_r
root            user       s0         SystemLow-SystemHigh           system_r sysadm_r user_r
system_u        user       s0         SystemLow-SystemHigh           system_r
user_u          user       s0         SystemLow-SystemHigh           system_r sysadm_r user_r


Now that we have a NetIQ SELinux user, we will add a system user the UNIX Agent will run under to perform it's monitoring tasks:

[root@HTSRH55 ~]# adduser -m -Z netiq_u netiq

We can now see that the netiq user is linked to the netiq_u SELinux user.
[root@HTSRH55 ~]# semanage login -l

Login Name                SELinux User              MLS/MCS Range           

__default__               user_u                    s0                      
netiq                     netiq_u                   s0                      
root                      root                      SystemLow-SystemHigh    


Now go ahead and perform the UNIX Agent installation specifying the netiq user/group to run as. System level monitoring commands such as ifconfig should now be allowed for the NetIQ user.

Additional Information

Formerly known as NETIQKB72362