Installation

Configuring SELinux on RHEL 6

New Member

So I have tried to run chcon command on the /opt/splunk/lib as the docs indicate.

chcon -v -R -u system_u -r object_r -t lib_t $SPLUNK_HOME/lib 2>&1 > /dev/null and chcon -v -R -u system_u -r object_r -t lib_t /opt/splunk/lib 2>&1 > /dev/null

Also added: 

export SPLUNK_IGNORE_SELINUX=1 to setSplunkEnv

script but not sure I did it correctly? Does it need to be at the end, before the esac or ??

Can I verify the chcon ran successfully?

Labels (1)
0 Karma

SplunkTrust
SplunkTrust

On RHEL 6 there is no need to change anything in relation to SELinux for Splunk to work correctly. However, it's a good idea to confine Splunk with SELinux to take advantage of the protection it provides: https://github.com/doksu/selinux_policy_for_splunk

0 Karma

Path Finder

does this also apply to SELinux in CentOS6? I like Dan Walsh and don't want him to cry 😞

0 Karma

SplunkTrust
SplunkTrust

Yes, it applies to any RHEL 6 binary-compatible distributions (CentOS, Oracle Linux, etc). If you're concerned, you can have your cake and eat it too by confining Splunk with the policy but running it in permissive (so it only logs policy violations, rather than preventing them). Be sure to ingest your AVCs into Splunk (by putting an inputs.conf monitor stanza on /var/log/audit/audit.log), then use the 'Type Enforcement' dashboard of the Linux Auditd app (https://splunkbase.splunk.com/app/2642/) to analyse denials.

N.B. I've been working on a RHEL 7 version of the policy recently; let me know if you'd like any further information - it should be released on github some time soon.

0 Karma

SplunkTrust
SplunkTrust

The easiest way to verify any SELinux labelling worked properly is with the "-Z" option to ls. But, starting with RHEL5, there are superior tools to chcon for more permanently configuring your SELinux policy to put certain files into a specific context. Look into the "semanage" and "restorecon" tools.