Installation
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk with Redhat 8 and SELinux

sbloom67
Observer
‎08-19-2021 01:27 PM

Hi All, We have an install of Splunk on Redhat 8 with SELinux on as enforcing.  Well all of the services start but the webpage for splunk does not work while SELinux is enforcing.  If I simply turn off SELinux and reboot everything works great.  My question is, what SELinux modules either need to be turn off specifically or do I have to do a SELinux chcon (Change context) on what files and set them to what.  If anyone has had to do this and can help, I would appreciate it.  Thanks

Labels (2)
Labels
0 Karma
Reply

harsmarvania57
Ultra Champion
‎08-20-2021 03:27 AM

Hi,

What is your splunk web port, default 8000 ? Generally I have seen that selinux is not causing any issue with splunk but if you are using some other ports which is not allowed by selinux then it may create problem.

0 Karma
Reply

sbloom67
Observer
‎08-20-2021 08:39 AM

I also just checked with semanage that port 8443 is also allowed with the content of http_port_t.  so that should be good with selinux

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-20-2021 10:38 AM

I haven't RHEL 8 on my hands now, but if I recall right there is also firewall running and you must enable needed ports with it. Also (as you said) you must use semange to allow those ports.

r. Ismo

0 Karma
Reply

sbloom67
Observer
‎08-20-2021 08:29 AM

i believe it was changed from port 8000 to 8443.  It works fine if u turn off SELINUX

 

Any suggestions ???

0 Karma
Reply

ephemeric
Contributor
‎08-23-2021 04:44 AM

As root:

`semanage port -l | grep 8443` and check the output.

`grep "8443" /var/log/audit/audit.log`.

If you get "denied" on port 8443 in the log, there is the problem. Splunk is not allowed to bind to port 8443 as per policy. One can fix that easily enough.

0 Karma
Reply
Get Updates on the Splunk Community!

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...