Installation

Configuring SELinux on RHEL 6

snosplunk
New Member

So I have tried to run chcon command on the /opt/splunk/lib as the docs indicate.

chcon -v -R -u system_u -r object_r -t lib_t $SPLUNK_HOME/lib 2>&1 > /dev/null and chcon -v -R -u system_u -r object_r -t lib_t /opt/splunk/lib 2>&1 > /dev/null

Also added: 

export SPLUNK_IGNORE_SELINUX=1 to setSplunkEnv

script but not sure I did it correctly? Does it need to be at the end, before the esac or ??

Can I verify the chcon ran successfully?

Labels (1)
0 Karma

ephemeric
Contributor

Have to agree with @dwaddle, use `semanage` and `restorecon` as `chcon` is not persistent across reboots. On CentOS7/8, there should be no need to change SELinux policy if Splunk is in `/opt/splunk` and binding to standard ports. Only the homedir in `/opt/splunk` will fail to be created during a rpm install as per error message but will still be created in the end. See "non-default homedir location" online for aforementioned error.

0 Karma

doksu
SplunkTrust
SplunkTrust

On RHEL 6 there is no need to change anything in relation to SELinux for Splunk to work correctly. However, it's a good idea to confine Splunk with SELinux to take advantage of the protection it provides: https://github.com/doksu/selinux_policy_for_splunk

scruse
Path Finder

does this also apply to SELinux in CentOS6? I like Dan Walsh and don't want him to cry 😞

doksu
SplunkTrust
SplunkTrust

Yes, it applies to any RHEL 6 binary-compatible distributions (CentOS, Oracle Linux, etc). If you're concerned, you can have your cake and eat it too by confining Splunk with the policy but running it in permissive (so it only logs policy violations, rather than preventing them). Be sure to ingest your AVCs into Splunk (by putting an inputs.conf monitor stanza on /var/log/audit/audit.log), then use the 'Type Enforcement' dashboard of the Linux Auditd app (https://splunkbase.splunk.com/app/2642/) to analyse denials.

N.B. I've been working on a RHEL 7 version of the policy recently; let me know if you'd like any further information - it should be released on github some time soon.

dwaddle
SplunkTrust
SplunkTrust

The easiest way to verify any SELinux labelling worked properly is with the "-Z" option to ls. But, starting with RHEL5, there are superior tools to chcon for more permanently configuring your SELinux policy to put certain files into a specific context. Look into the "semanage" and "restorecon" tools.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...