SELinux Support for Apache Web Agent

SELinux (Security-Enhanced Linux) implements mandatory access control mechanism. The mandatory access control mechanism enforces an administratively-set security policy over all the processes and files in the system for increased security.
sm1252sp1
SELinux (Security-Enhanced Linux) implements mandatory access control mechanism. The mandatory access control mechanism enforces an administratively-set security policy over all the processes and files in the system for increased security.
Important!
 SELinux for Apache is certified for Web Agents from 12.52 SP1 CR 07 onward. 
SELinux operates in the following three modes:
  1. Enforcing: Indicates that the SELinux policy is in effect.
  2. Permissive: The SELinux system prints warnings but does not enforce policy.
  3. Disabled: Indicates that SELinux policies are disabled.
The following sections illustrate how Web Agent works when SELinux is either in Enforcing or Permissive modes:
Contents
Impact on Web Agent with SELinux Enabled
Web Agent modules get loaded into the Web Server context of the Web Server (Apache httpd) process.  Web Agent modules load binaries, invoke LLAWP process, read configuration files, write logs and also open ports for communication with Policy Server inside the Web Server context. Web Agent binaries are installed in custom folders which are not under httpd directory. Therefore, Web Agent binaries do not have any SELinux privileges enabled and Web Agent fails to start.
Following are the impacted functionalities with SELinux:
SELinux Privileges for Binaries
SELinux permission for Apache process is different from Web Agent binaries. The following example illustrates the different SELinux privileges for Apache httpd and Web Agent binaries:
->  ls -Z /usr/sbin/httpd
   -rwxr-xr-x. root root system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd
-> ls -Z /opt/CA/webagent/bin/libmod_sm24.so
   -rwxrwxr-x. root root system_u:object_r:default_t:s0 /opt/CA/webagent/bin/libmod_sm24.so
SELinux permission for User, Role, Type, and Level is also different from Apache HTTPD and Web Agent binaries.
SELinux Privileges for Configuration Files
With SELinux, files and processes are labeled with Type which defines a domain for processes. Agent which runs under Apache HTTPD process, fails to read or write the configuration, if types are not specified.
For Apache HTTP process, you need to set the domain for the following files with read and write permissions:
  • For 
    SmHost.conf
     file and log files, Web Agent needs write permission. 
  • For Configuration files and Properties file, Web  Agent needs read permission.
Opening Ports using SELinux Boolean
Agent modules including LLAWP process open ports to Policy Server for communication. Therefore, Web Agent under Apache service must be allowed to make network connection, else Web Agent fails with connection failure messages.
Enabling the SELinux 
httpd_can_network_connect
 policy allows you to open the port.
Make Agent work in SELinux Enforcing/Permissive Mode
The following commands inherit permissions of Apache HTTPD to Web Agent binaries:
<webagent-home>
: Indicates the path where Web Agent is installed.
  • Check the permission of Apache HTTPD using the following "ls -Z" command:
    chcon --reference=/usr/sbin/httpd  <webagent-home>/bin/*
    For 64 bit, webagent enabling SELinux for CAPKI
    chcon -R  --reference /usr/sbin/httpd  <webagent-home>/CAPKI/CAPKI5/Linux/amd64/64
    For 32 bit, webagent enabling SELinux for CAPKI
    chcon -R  --reference /usr/sbin/httpd  <webagent-home>/CAPKI/CAPKI5/Linux/x86/32
  • The following command allows Web Agent to make Policy Server connection to Apache HTTPD process:
    setsebool -P httpd_can_network_connect 1
  • The following command allows Web Agent to read configuration files from configuration folder:
    chcon -t httpd_sys_ra_content_t <webagent-home>/config/*
  • The following command allows Web Agent to write to SmHost.conf file in case shared key roll over is enabled:
    chcon -t httpd_sys_rw_content_t <webagent-home>/config/SmHost.conf
    Note: 
    Execute the SELinux command for SmHost.conf again in case Web Agent is reconfigured or registereted.
  • The following command allows Web Agent to access form files required for different authentication schemes and password services:
    chcon -R  -t httpd_sys_ra_content_t <webagent-home>/samples
  • The following command allows Web Agent to read properties files for logging from resources folder:
    chcon -R  -t httpd_sys_ra_content_t <webagent-home>/resources
  • The following command allows Web Agent to write trace and log messages to a cusomozable directory:
    chcon -R -t httpd_sys_rw_content_t <webagent-home>/log