6.3.6. Enabling SELinux

SELinux policies for Certificate System subsystems are installed as a dependency for Certificate System 8.1, in the pki-selinux package. The SELinux policies are automatically configured whenever a new instance is created by the pkicreate command.
Red Hat recommends running Certificate System with SELinux in enforcing mode, to make the most of the security policies.
The Certificate System SELinux policies assume that the Red Hat Directory Server is listening over the standard LDAP/LDAPS ports, 389 and 636, respectively. If the Directory Server is using non-standard ports, then edit the SELinux policy using semanage to relabel the LDAP/LDAPS ports and allow the subsystem to access the Directory Server.
If SELinux is set to enforcing, then any external modules or hardware which interact with the subsystems must be configured with the proper SELinux settings to proceed with subsystem installation:
SELinux is a collection of mandatory access control rules which are enforced across a system to restrict unauthorized access and tampering. SELinux is described in more detail in the SELinux section in the Red Hat Enterprise Linux Deployment Guide.
Red Hat Certificate System has its own SELinux policies defined in a special package, pki-selinux, which is a required dependency for each subsystem. This policy defines objects, domains, and rules for each subsystem type, and those policies apply equally to every instance of that type on that machine. The rules and definitions for all the subsystems comprise the overall Certificate System SELinux policy.
The Certificate System subsystems run with SELinux set in enforcing mode, meaning that Certificate System operations can be successfully performed even when all SELinux rules are required to be followed. All SELinux policies are updated every time a subsystem is added with pkicreate or removed with pkiremove.
To make sure SELinux is in the proper mode:
  1. Open the Systems menu.
  2. Open the Administration menu, and select the SELinux Management item.
  3. In the Status area, set the system default and current enforcing modes to the desired setting. Enforcing mode is recommended.