Home

Deploying Unravel on security-enhanced Linux

This topic explains how to deploy Unravel over Security Enhanced Linux (SELinux). SELinux allows you to set access control through SELinux policies.

SELinux modes
  • Enforcing: The SELinux polices and rules are strictly enforced and applied over the subjects and object. All production systems have SELinux enabled in enforcing mode. The policies are enforced whenever any violations or errors are detected and the violations/errors are logged.

  • Permissive: The policies and rules of SELinux are applied over the subjects and objects but are not enforced. All violations and errors based on the SELinux policy are ignored and logged into the log files. If the SELinux policy prevents a specific service from accessing a specific folder, this mode allows access but logs a denial message. This mode provides enough debugging information to fine tune the SELinux Policy so it runs smoothly in enforcing mode.

  • Disabled: No policies are enforced.

SELinux policies

Unravel currently only supports the targeted policy.

Prerequisites

Enable SELinux on Unravel Node running Linux.

  1. In /etc/sysconfig/selinux, specify the following settings:

    1. Set the mode to enforcing.

      This is SELinux's default; whenever the system reboots it starts SELinux in this mode. For instructions on changing the mode while running, see Working with modes.

      SELINUX=enforcing 
    2. Use the default policy, targeted.

      SELINUXTYPE=targeted 
  2. Reboot the system to make changes take effect.

    getenforce
    enforcing
  3. Verify the SELinux mode setting after reboot.

Installing the Unravel RPM on a SELinux-enabled node
  1. Install Unravel in permissive mode or enforcing mode.

    You can install Unravel in either mode. However, installing Unravel in enforcing mode is highly discouraged since SELinux issues a warning regarding uncertainty of functionality.

    • Installing in permissive mode (recommended)
      1. Set mode to permissive and verify setting.

        setenforce 0
        getenforce
        permissive
      2. Install the Unravel RPM.

        sudo rpm -Uvv unravel-version.x86_64.rpm 2 > /tmp/rpm.txt
        sudo /usr/local/unravel/install_bin/await_fixups.sh
      3. SELinux may generate similar alerts during the installation process depending on the environment. But this should not hinder with the installation process.

        sealert -a /var/log/audit/audit.log
        Alert 1: SELinux is preventing /usr/bin/bash from using the rlimitinh access on a process.
        Alert 2: SELinux is preventing /usr/bin/python2.7 from using the rlimitinh access on a process.
    • Installing in enforcing mode (highly discouraged)

      When Unravel is installed in enforcing mode, SELinux issues a warning regarding uncertainty of functionality.

      1. Execute getenforce command to check if Unravel SELinux node is in enforcing mode. If it is not, go to Step b above.

        getenforce
        enforcing
      2. Install Unravel using rpm.

        sudo rpm -Uvv unravel-version.x86_64.rpm 2 > /tmp/rpm.txt
        sudo /usr/local/unravel/install_bin/await_fixups.sh
      3. The rpm installation sets SELINUX to permissive and issues a security warning:

        -----RPM installation log
        + setenforce Permissive
        + echo
        + tee_echo '[CREATE_B1: SECURITY: WARNING] Setting selinux to be temporarily Permissive; after a reboot it might revert to Enforced and Unravel functionality might be an issue.'
        + tee -a /tmp/rpm_upgrade.log
        ++ date '+%Y-%m-%d %H:%M:%S'
         + echo '[2019-01-28 06:33:17] [CREATE_B1: SECURITY: WARNING] Setting selinux to be temporarily Permissive; after a reboot it might revert to Enforced and Unravel functionality might be an issue.' 
        + echo
        + FILE_CACHE_HEADROOM_MB=2000
        -----
        getenforce
        permissive

        SELinux generates two alerts like the ones below. Similiar alerts are generated throughout the installation process.

        sealert -a /var/log/audit/audit.log
        Alert 1: SELinux is preventing /usr/bin/bash from using the rlimitinh access on a process.
        Alert 2: SELinux is preventing /usr/bin/python2.7 from using the rlimitinh access on a process.
  2. Switch to user.

    There should be no alerts at this stage.

    1. Set SELINUX to enforcing and verify it's been set.

      setenforce 1
      getenforce
      enforcing
    2. Run the script switch_to_user.sh where user and group depend on your environment. For more information, see switch_to_user.

      sudo /usr/local/unravel/install_bin/switch_to_user.sh user group
  3. Start Unravel services after RPM installation. Run the following command to make sure all services start up successfully.

    sudo /etc/init.d/unravel_all.sh start

    SELinux generates two alerts. Similar alerts are generated throughout the installation process.

    sealert -a /var/log/audit/audit.log
    Alert 1: SELinux is preventing /usr/bin/bash from using the rlimitinh access on a process.
    Alert 2: SELinux is preventing /usr/bin/python2.7 from using the rlimitinh access on a process.
  4. Verify that SELinux is set to enforcing.

    getenforce
    enforcing
  5. If getenforce returned permissive, execute the following commands to set SELINUX to enforcing mode.

    sudo /etc/init.d/unravel_all.sh stop
    setenforce 0
    sudo /etc/init.d/unravel_all.sh start
  6. Configure Unravel Server and install sensors.

    Substitute your fully qualified domain name or your host's IP for UNRAVEL_HOST. There should be no alerts generated at this stage.

    python /usr/local/unravel/install_bin/cluster-setup-scripts/unravel_cdh_setup.py --spark-version 2.3.0 --unravel-server UNRAVEL_HOST --cm-server {UNRAVEL_HOST} --all
Troubleshooting

Run these commands to check for alerts, denials, or policy violations which might happen after an installation or an operation/job submission to see if any violations have occurred.

  • To view any Unravel specific alerts:

    sealert -a /var/log/audit/audit.log | grep unravel
  • To view any system specific alerts:

    sealert -a /var/log/audit/audit.log
Installing and using SELinux tools
yum install setroubleshoot setools
yum install policycoreutils policycoreutils-python selinux-policy selinux-policy-targeted libselinux-utils setroubleshoot setools setools-console

These tools help you get more information about the policy and analyze the avc log file generated by SELinux.

  • Use seinfo to identify the loaded SELinux Policy. Your output should look similar to the sample below.

    seinfo
    Statistics for policy file: /sys/fs/selinux/policy
    Policy Version & Type: v.28 (binary, mls)
    
    Classes:       94       Permissions:   262   
    Sensitivities  1        Categories: 1024
    Types:         4747     Attributes:    251
    Users:         8        Roles:         14
    Booleans:      307      Cond. Expr.:   56
    Allow:         101746   Neverallow: 0
    Auditallow:    155      Dontaudit:     8846
    Type_trans:    17759 Type_change:   74
    Type_member:   35       Role allow:    39
    Role_trans:    416      Range_trans:   5697
    Constraints:   109      Validatetrans: 0
    Initial SIDs:  27       Fs_use:        29
    Genfscon:      105      Portcon:       602
    Netifcon:      0        Nodecon:       0
    Permissives:   6        Polcap:        2
  • Use semodule to log even the trivial violations logged by SELinux.

    semodule -DB
  • Use sealert to see alerts.

    • Enter the following command to see all the alerts generated by SELinux

      sealert -a /var/log/audit/audit.log
    • Enter the following command to see Unravel specific alerts

      sealert -a /var/log/audit/audit.log | grep unravel
  • For debugging (in other words, if you're testing in enforcement mode), run the following commands:

    Log all trivial violations logged by SELinux.

    semodule -DB

    Set the audit log file to 0 so you get to know of access violations happening during the testing of enforcement mode.

     > /var/log/audit/audit.log
Working with modes
Determining which mode SELinux is running in

Retrieve the current SELinux mode. Output is permissive or enforcing, depending on the setting.

getenforce
Switching modes

You can switch modes on the fly using the setenforce command.

Note

When Unravel is restarted SELinux returns to the default mode set in /etc/sysconfig/selinux.

  • To set permissive mode

    setenforce 0
  • To set enforcement mode

    setenforce 1
Installing MySQL in enforcing mode

If the datadir is changed, for example to /srv/unravel/db_data as described in MySQL installation, Unravel SELinux node throws alerts upon installation and configuration of MySQL. If you see these alerts, you must create a new policy to handle the change. A sample policy is below.

During Configure and Start MySQL Server configuration

The following alert is thrown when starting mysqld daemon (Step 5) after setting datadir=/srv/unravel/db_data.

  • Alert: If you believe that mysqld should be allowed read access on the plugin.frm file by default

During Configure Unravel to Connect My SQL Server

The following alert is thrown while creating the database (Step 1).

  • Alert: If you believe that mysqld should be allowed create access on the ibdata1 file by default.

The following alert is thrown when creating the schema for Unravel (Step 3).

  • Alert: If you believe that mysqld should be allowed remove_name access on the edge-4.lower-test directory by default.

Sample policy

module my-mysqld 1.0;
require {
type mysqld_safe_t;
type var_t;
type mysqld_t;
class process siginh;
class dir { add_name create remove_name write };
class file { create getattr lock open read rename unlink write };
}
#============= mysqld_safe_t ==============
#!!!! This avc is allowed in the current policy
allow mysqld_safe_t mysqld_t:process siginh;
#============= mysqld_t ==============
#!!!! This avc is allowed in the current policy
allow mysqld_t var_t:dir { add_name create remove_name write };
allow mysqld_t var_t:file rename;
#!!!! This avc is allowed in the current policy
allow mysqld_t var_t:file { create getattr lock open read unlink write };