topic Re: Configuring SELinux on RHEL 6 in Installation

Configuring SELinux on RHEL 6

snosplunk — Tue, 23 Jun 2020 18:53:02 GMT

So I have tried to run chcon command on the /opt/splunk/lib as the docs indicate.

chcon -v -R -u system_u -r object_r -t lib_t $SPLUNK_HOME/lib 2>&1 > /dev/null and chcon -v -R -u system_u -r object_r -t lib_t /opt/splunk/lib 2>&1 > /dev/null

Also added:

export SPLUNK_IGNORE_SELINUX=1 to setSplunkEnv

script but not sure I did it correctly? Does it need to be at the end, before the esac or ??

Can I verify the chcon ran successfully?

Re: Configuring SELinux on RHEL 6

dwaddle — Wed, 08 Dec 2010 07:46:50 GMT

The easiest way to verify any SELinux labelling worked properly is with the "-Z" option to ls. But, starting with RHEL5, there are superior tools to chcon for more permanently configuring your SELinux policy to put certain files into a specific context. Look into the "semanage" and "restorecon" tools.

Re: Configuring SELinux on RHEL 6

doksu — Wed, 25 Mar 2015 11:41:42 GMT

On RHEL 6 there is no need to change anything in relation to SELinux for Splunk to work correctly. However, it's a good idea to confine Splunk with SELinux to take advantage of the protection it provides: https://github.com/doksu/selinux_policy_for_splunk

Re: Configuring SELinux on RHEL 6

scruse — Fri, 17 Jul 2015 21:37:53 GMT

does this also apply to SELinux in CentOS6? I like Dan Walsh and don't want him to cry 😞

Re: Configuring SELinux on RHEL 6

doksu — Tue, 21 Jul 2015 01:40:30 GMT

Yes, it applies to any RHEL 6 binary-compatible distributions (CentOS, Oracle Linux, etc). If you're concerned, you can have your cake and eat it too by confining Splunk with the policy but running it in permissive (so it only logs policy violations, rather than preventing them). Be sure to ingest your AVCs into Splunk (by putting an inputs.conf monitor stanza on /var/log/audit/audit.log), then use the 'Type Enforcement' dashboard of the Linux Auditd app (https://splunkbase.splunk.com/app/2642/) to analyse denials.

N.B. I've been working on a RHEL 7 version of the policy recently; let me know if you'd like any further information - it should be released on github some time soon.

Re: Configuring SELinux on RHEL 6

ephemeric — Mon, 23 Aug 2021 11:53:02 GMT

Have to agree with @dwaddle, use `semanage` and `restorecon` as `chcon` is not persistent across reboots. On CentOS7/8, there should be no need to change SELinux policy if Splunk is in `/opt/splunk` and binding to standard ports. Only the homedir in `/opt/splunk` will fail to be created during a rpm install as per error message but will still be created in the end. See "non-default homedir location" online for aforementioned error.