Environment
AppManager UNIX
SELinux
RedHat
CentOS
SuSE
Situation
Resolution
The easiest way to ensure proper system monitoring and to avoid log spam is to disable SELinux on monitored Linux hosts.
If usage of SELinux is a requirement in your environment you may want to change it to Permissive mode which won't block activities it sees as suspicious (SELinux will only log them in Permissive mode).
If your environment requires Enforcing mode, the SELinux subsystem will need to be properly configured for the NetIQ UNIX Agent. To be fully proper, the AppManager UNIX components of the NetIQ UNIX Agent will need to run as a non-root user.
Please note at this time only the AppManager components of the UNIX Agent have the ability to run as non-root, this guide was developed with a focus on the AppManager components of the UNIX Agent. This is also an unofficial guide, support for SELinux is best effort at the moment due to the complexities of the SELinux subsystem.
Lets first check our SELinux users:
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
root user s0 SystemLow-SystemHigh system_r sysadm_r user_r
system_u user s0 SystemLow-SystemHigh system_r
user_u user s0 SystemLow-SystemHigh system_r sysadm_r user_r
These are our SELinux users. These users are disconnected from system users and are more of user 'groups' multiple system users can part of.
We are going to add a NetIQ SELinux user to properly perform monitoring tasks, we will try and isolate as many NetIQ activities as possible within this NetIQ SELinux user.
[root@HTSRH55 ~]# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
netiq_u user s0 s0 system_r sysadm_r user_r
root user s0 SystemLow-SystemHigh system_r sysadm_r user_r
system_u user s0 SystemLow-SystemHigh system_r
user_u user s0 SystemLow-SystemHigh system_r sysadm_r user_r
Now that we have a NetIQ SELinux user, we will add a system user the UNIX Agent will run under to perform it's monitoring tasks:
We can now see that the netiq user is linked to the netiq_u SELinux user.
[root@HTSRH55 ~]# semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ user_u s0
netiq netiq_u s0
root root SystemLow-SystemHigh
Now go ahead and perform the UNIX Agent installation specifying the netiq user/group to run as. System level monitoring commands such as ifconfig should now be allowed for the NetIQ user.