Re: Splunk with Redhat 8 and SELinux

sbloom67 · ‎08-19-2021

Hi All, We have an install of Splunk on Redhat 8 with SELinux on as enforcing. Well all of the services start but the webpage for splunk does not work while SELinux is enforcing. If I simply turn off SELinux and reboot everything works great. My question is, what SELinux modules either need to be turn off specifically or do I have to do a SELinux chcon (Change context) on what files and set them to what. If anyone has had to do this and can help, I would appreciate it. Thanks

harsmarvania57 · ‎08-20-2021

Hi,

What is your splunk web port, default 8000 ? Generally I have seen that selinux is not causing any issue with splunk but if you are using some other ports which is not allowed by selinux then it may create problem.

sbloom67 · ‎08-20-2021

I also just checked with semanage that port 8443 is also allowed with the content of http_port_t. so that should be good with selinux

isoutamo · ‎08-20-2021

I haven't RHEL 8 on my hands now, but if I recall right there is also firewall running and you must enable needed ports with it. Also (as you said) you must use semange to allow those ports.

r. Ismo

sbloom67 · ‎08-20-2021

i believe it was changed from port 8000 to 8443. It works fine if u turn off SELINUX

Any suggestions ???

ephemeric · ‎08-23-2021

As root:

`semanage port -l | grep 8443` and check the output.

`grep "8443" /var/log/audit/audit.log`.

If you get "denied" on port 8443 in the log, there is the problem. Splunk is not allowed to bind to port 8443 as per policy. One can fix that easily enough.

Splunk with Redhat 8 and SELinux

Linux

splunkd

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services