13.7. Managing the SELinux Policies for Subsystems

SELinux is a collection of mandatory access control rules which are enforced across a system to restrict unauthorized access and tampering. For more information about SELinux, see the SELinux User's and Administrator's Guide.

13.7.1. About SELinux

Basically, SELinux identifies objects on a system, which can be files, directories, users, processes, sockets, or any other thing on a Linux host. These objects correspond to the Linux API objects. Each object is then mapped to a security context, which defines the type of object it is and how it is allowed to function on the Linux server.
System processes run within SELinux domains. Each domain has a set of rules that defines how the SELinux domain interacts with other SELinux objects on the system. This set of rules, then, determines which resources a process may access and what operations it may perform on those resources.
For Certificate System, each subsystem type runs within a specific domain for that subsystem type. Every instance of that subsystem type belongs to the same SELinux domain, regardless of how many instances are on the system For example, if there are three CAs installed on a server, all three belong to the http_port_t SELinux domain.
The rules and definitions for all the subsystems comprise the overall Certificate System SELinux policy. Certificate System SELinux policies are already configured when the subsystems are installed, and all SELinux policies are updated every time a subsystem is added with pkispawn or removed with pkidestroy.
The Certificate System subsystems run with SELinux set in enforcing mode, meaning that Certificate System operations can be successfully performed even when all SELinux rules are required to be followed.
By default, the Certificate System subsystems run confined by SELinux policies.

13.7.2. Viewing SELinux Policies for Subsystems

All Certificate System policies are are part of the system SELinux policy. The configured policies can be viewed using the SELinux Administration GUI, which you can get by installing the policycoreutils-gui package.
  1. Either run the system-config-selinux command or open the utility by accessing ApplicationsOtherSELinux Management for the main system menu.
  2. To check the version of the Certificate System SELinux policy installed, click the Policy Module section in the left bar.
  3. To view the policies set on the individual files and processes, click the File Labeling section. To view the policies for the port assignments for the subsystems, click the Network Port section.

13.7.3. Relabeling nCipher netHSM Contexts

The nCipher netHSM software does not come with its own SELinux policy, so the Certificate System contains a default netHSM policy, shown in Example 13.1, “netHSM SELinux Policy”.

Example 13.1. netHSM SELinux Policy

# default labeling for nCipher
/opt/nfast/scripts/init.d/(.*)  gen_context(system_u:object_r:initrc_exec_t,s0)
/opt/nfast/sbin/init.d-ncipher  gen_context(system_u:object_r:initrc_exec_t,s0)
/opt/nfast(/.*)?                gen_context(system_u:object_r:pki_common_t, s0)
/dev/nfast(/.*)?                gen_context(system_u:object_r:pki_common_dev_t,0)
Other rules allow the pki_*_t domain to talk to files that are labeled pki_common_t and pki_common_dev_t.
If any of the nCipher configuration is changed (even if it is in the default directory, /opt/nfast), run the restorecon to make sure all files are properly labeled:
restorecon -R /dev/nfast
restorecon -R /opt/nfast
If the nCipher software is installed in a different location or if a different HSM is used, the default Certificate System HSM policy needs to be relabelled using semanage.